Aoqin Dragon; New China Spies Exposed
Chinese hackers quietly spied for a decade
Aoqin Dragon is a cyber espionage group revealed to be Chinese hackers; it has been linked to hacking campaigns targeted across Australia and the Southeastern region of Asia. This group of hackers based on cyber security analysts have been in operation since 2013. And within the 9 years of existence, they have mostly targeted their victims through fake document exploits attached to removable devices, which helps the criminal gain early access to their victims’ network databases.
SentinelLabs has been tracking the Aoqin Dragon dark web hackers and has revealed that the dangerous threat actors’ major targets were government facilities. In addition, the criminals have been linked to education, and telecommunications institutions with hacking campaigns that have crippled infrastructure in Southeast Asia and Australia from 2013 through 2022.
The SentilLabs cyber security team stated that based on the analytical study done on the Aoqin Dragon hacking campaigns that target important infrastructure, the malware structure through which the threat actors operate provides intermediate proof that confidently linked the Chinese-speaking hackers to be collaboratively backed by UNC94 and other Chinese government entities.
Aoqin Dragon focused its cyber-espionage campaigns on mostly Australia, Singapore, Vietnam, Hong Kong, and Cambodia’s public and private infrastructure. The criminals have been able to avoid post-compromise detection with their hacking campaigns through DLL hijacking of Themida-packed files, and DNS tunneling.
Aoqin Dragon Infection Chain
With the overview provided by SentinelLabs, the hackers’ linked pattern of behavior throughout its existence shows that they have not changed strategy since it was first discovered in 2013. The current analysis issued in 2022 shows that its cyber espionage campaign is still ongoing and has primarily kept its focus on countries in the Southeastern Asian region and Australia.
Since 2013, Aoqin Dragon threat actors’ history shows a concentrated effort to infect its victims’ computer databases through pornographic document baits. With each documented lure, the hackers’ extensive USB shortcut techniques were observed by the security team.
To spread its malware even further the hackers infect new targets by distributing its virus through one of two backdoors. The extra payload is distributed by Mongall via a modification of the open source Heyoka project.
So far, SentinelLabs recorded a definite progression of the infection chain and TTPs associated with Aoqin Dragon campaigns. Its investigative team revealed an infection strategy of three separate components. Through a Microsoft Word document, the criminal hackers persuade the recipient to click a malicious document that releases the malware backdoor.
Another attack point is by tricking victims to click phony anti-virus programs that are hacked to execute the malware on computers. The third is through a phony removable device linked to a file folder that successfully installs the hackers’ malware on unsuspecting victims’ computer and Android devices.