Home » APT group used pornographic lure to spy on organizations for 10 years

ManagementCyberSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecurityCyber Security News

APT group used pornographic lure to spy on organizations for 10 years

June 13, 2022

Maria Henriquez

SentinelLabs uncovered Aoqin Dragon, a Chinese-linked advanced persistent threat (APT) primarily targeting organizations in Southeast Asia and Australia since 2013, including government, education and telecommunication organizations.

According to SentinelLabs research, Aoqin Dragon has a history of using document lures with pornographic themes to infect users and uses USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.

SentinelLabs assesses that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Based on an analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, SentinelLabs believes the threat actor is a small Chinese-speaking team with potential association to UNC94 (Mandiant).

John Bambenek, Principal Threat Hunter at Netenrich, says, “the Chinese government has always done remarkable work in highly-specific targeting designed to infect their espionage targets. They are spending real effort to do the research to make sure they can discretely infect organizations and operate for extended periods of time without being discovered.”

Throughout the firm’s analysis of Aoqin Dragon campaigns, SentinelLabs observed a clear evolution in their infection chain and TTPs. Researchers divide their infection strategy into three parts.

Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.

To stay under the radar, the threat group has evolved tactics, techniques and procedures (TTPs) several times and will continue to find new methods to evade detection and stay longer in their target network and continue to conduct espionage operations.

For the full report, please visit sentinelone.com.

Recent Articles by Maria Henriquez

Tips to bolster cybersecurity, incident response this 4th of July weekend

Women in Security 2022: Theresa Bentch, Garmin International

Women in Security 2022: Nicole Schmitt, Wireless Vision

Women in Security 2022: Laureen Stephens-Rice, US Department of State

Women in Security 2022: Natalie Willis, Nuclear Fuel Services (NFS)

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and pressing security challenges facing the industry.

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

SUBSCRIBE TODAY!

Copyright ©2022. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing