One of the primary hallmarks of an advanced persistent threat (APT) group is its ability to operate undetected for years while carrying out its specific mission.
The newest example is "Aoqin Dragon," a China-based APT actor that researchers at SentinelOne recently discovered has been spying on organizations across multiple countries for the past 10 years. The group's primary mission appears to be cyber espionage, and its targets have included organizations in the government, telecommunications, and education sectors in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.
In its analysis of the threat actor's targets, SentinelOne said infrastructure and malware shows the group likely comprises a small Chinese-speaking team with potential links to an adversary that Mandiant has been tracking for some time as UNC94. Aoqin Dragon’s targeting suggests its interests are aligned with those of the Chinese government, though SentinelOne has not been able to confirm that.
In a report last week, SentinelOne said it was able to identify Aoqin Dragon activity going back to at least 2013 and continuing through today. Over that period, the threat actor — like other APT groups — has been constantly refining and tweaking its tactics, techniques, and procedures (TTPs), SentinelOne said.
In the initial stages, Aoqin Dragon relied heavily on exploits targeting a couple of old Microsoft vulnerabilities (CVE-2012-0158 and CVE-2010-3333) to compromise targets. Later, the group began using various document lures to try and infect target systems. Lures included documents with political themes pertaining to the Asia-Pacific region and content with pornographic themes. Individuals who fell for these lures were infected with a backdoor called Mongall, or sometimes with a modified version of Heyoka, a tool based on an open source proof of concept for exfiltrating data from compromised systems via DNS tunneling.
According to SentinelOne, Mongall is not especially feature-rich. Even so, it is effective and can create a remote shell for uploading files from an infected machine to the attacker's command-and-control servers (C2). The malware embeds three C2 servers in its code, making it dangerous, SentinelOne said.
Rarely Used Tactic
Since at least 2018, Aoqin Dragon has been using fake removable devices — in addition to its usual document exploits — as a vector for gaining initial access on target systems. In cyberattacks involving removable devices, SentinelOne observed the threat actor placing a removable disk shortcut file on a compromised system. When clicked, the file initiates a sequence of activity that ends with a malicious loader being placed on the system.
Joey Chen, threat intelligence researcher at SentinelOne, says Aoqin Dragon's use of a removable device for initial access is noteworthy because few actors use the approach these days. Instead of an actual physical removable device — such as an USB or DVD — the threat actors have been trying to lure users into clicking on a malicious removable disk shortcut file forged to look like a normal removable device.
"The USB shortcut file contains a specific path to execute the Evernote Tray Application and use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe," Chen says. "The advantage of using a removable device as an initial access vector is that malicious files don't need to land into the victim's host machine."
Mike Parkin, senior technical engineer at Vulcan Cyber, says the use of fake removable devices for initial access can be very effective, but it has never been the most common attack vector.
"There was a time when leaving infected USB thumb drives, DVDs, and CD-ROMs was a common penetration testing technique that mimicked what we saw threat actors doing in the wild," he says. "Downloading and mounting an ISO file is the same idea, only entirely file-based."
For threat actors, removable devices are another tool that they can deploy to infect their targets, Parkin says.
"If the victim can be enticed to download and launch the malware, the attacker has gotten around the need to breach the external defenses," he says. "The victim did it for them."
Several of Aoqin Dragon’s TTPs — such as DLL hijacking and DNS tunneling to evade detection — are similar to those that other threat actors use, says Chen. However, the threat actor's use of removable devices as an initial access vector is somewhat different.
"In addition, the entire spread module and install module of the malware are all written by actors themselves," he says. This has made it harder for typical endpoint protection systems to detect the malware, he notes.
Benjamin Read, director of cyber-espionage analysis at Mandiant Threat Intelligence, describes UNC94 — the group that SentinelOne believes is linked to Aoqin Dragon — as a cluster of suspected Chinese activity that operates with distinct TTPs. "They have been active since at least 2013, and potentially earlier. The group has been observed targeting high-tech, government, and financial institutions," Read says.
Based on the initial reporting from SentinelOne, the activity it tracked under Aoqin Dragon does seem to align with UNC94. "But we don’t currently have enough data to confirm complete overlap," he says.