China-linked APT Flew Under Radar for Decade

Evidence suggests that a just-discovered APT has been active since 2013.

Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia.

Researchers from SentinelLabs said the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is “a small Chinese-speaking team with potential association to [an APT called] UNC94,” they reported.

Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote.

****Aoqin Dragon’s Evolving Stealth Tactics****

Part of what’s helped Aoqin Dragon stay under the radar for so long is that they’ve evolved. For example, the means the APT used to infect target computers has evolved.

In their first few years of operation, Aoqin Dragon relied on exploiting old vulnerabilities – specifically, CVE-2012-0158 and CVE-2010-3333 – which their targets might not have yet patched.

Later, Aoqin Dragon created executable files with desktop icons that made them appear to look like Windows folders or antivirus software. These programs were actually malicious droppers which planted backdoors and then established connections back to the attackers’ command-and-control (C2) servers.

Since 2018, the group has been utilizing a fake removable device as their infection vector. When a user clicks to open what seems to be a removable device folder, they in fact initiate a chain reaction which downloads a backdoor and C2 connection to their machine. Not only that, the malware copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host and, hopefully, into the target’s broader network.

The group has employed other techniques to stay off-the-radar. They’ve used DNS tunneling – manipulating the internet’s domain name system to sneak data past firewalls. One backdoor leverage – known as Mongall – encrypts communication data between host and C2 server. Over time, the researchers said, the APT began slowly working the fake removable disc technique. This was done to ” pgraded the malware to protect it from being detected and removed by security products.”

****Nation-State Links****

Targets have tended to fall in just a few buckets – government, education and telecoms, all in and around Southeast Asia. Researchers assert “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.”

Further evidence of China influence includes a debug log found by researchers that contains simplified Chinese characters.

Most important of all, the researchers highlighted an overlapping attack on the president of Myanmar’s website back in 2014. In that case, police traced the hackers’ command-and-control and mail servers to Beijing. Aoqin Dragon’s two primary backdoors “have overlapping C2 infrastructure,” with that case, “and most of the C2 servers can be attributed to Chinese-speaking users.”

Still, “properly identifying and tracking State and State Sponsored threat actors can be challenging,” Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in a statement. “SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure’ when you’re identifying a new threat actor.”