APT group used pornographic lure to spy on organizations for 10 years

Image by kanawatTH via Freepik

SentinelLabs uncovered Aoqin Dragon, a Chinese-linked advanced persistent threat (APT) primarily targeting organizations in Southeast Asia and Australia since 2013, including government, education and telecommunication organizations.

According to SentinelLabs research, Aoqin Dragon has a history of using document lures with pornographic themes to infect users and uses USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.

SentinelLabs assesses that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Based on an analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, SentinelLabs believes the threat actor is a small Chinese-speaking team with potential association to UNC94 (Mandiant).

John Bambenek, Principal Threat Hunter at Netenrich, says, “the Chinese government has always done remarkable work in highly-specific targeting designed to infect their espionage targets. They are spending real effort to do the research to make sure they can discretely infect organizations and operate for extended periods of time without being discovered.”

Throughout the firm’s analysis of Aoqin Dragon campaigns, SentinelLabs observed a clear evolution in their infection chain and TTPs. Researchers divide their infection strategy into three parts.

Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.

To stay under the radar, the threat group has evolved tactics, techniques and procedures (TTPs) several times and will continue to find new methods to evade detection and stay longer in their target network and continue to conduct espionage operations.

For the full report, please visit sentinelone.com.

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.