An undocumented Chinese-speaking Advanced Persistent Threat (APT) actor named Aoqin Dragon has initiated an array of espionage-orientated attacks against government, education, and telecom services in the region of Southeast Asia and Australia.
A threat actor is anybody who potentially damages cybersecurity. They are the key driver of malicious actions targetting against any organization or company. Aoqin Dragon attacks the cybersecurity space by getting access primarily through exploitative documents or fake removable devices. According to SentinelOne’s researcher Joey Chen’s report in The Hacker News, “Other techniques the attacker has been observed using include DLL hijacking, Themida packed files, and DNS tunneling to evade post-compromise detection.”
Aoqin Dragon has been evolving in their tactics to target the cybersecurity space. It has also advanced to three distinct infection chains according to the reports by SentinelLabs. Between 2012 and 2015, it exploited vulnerable documents from Microsoft Office. These tactics were observed by FireEye in 2014 in a gear-phishing campaign organized by the Chinese-backed Naikon APT group targeting an APAC government entity and the US think tank.
The second infection method is processed by masking its malicious attempts in the form of anti-virus icons. So, they seem like believable anti-viruses in an effort to trick new users into launching them on their devices.
In their third infection method from 2018 till now, it has turned into removable disk shortcut files. It performs DLL hijacking and loads an encrypted backdoor payload upon clicking.
The evolution of Aoqin Dragon’s cyber-espionage operations is believed to be of Chinese-government’s political interest.
