The New Chinese Spying Threat Actor Identified
SentinelLabs, an American cybersecurity company, has reported about a Chinese hacking group Aoqin Dragon, which has managed to conduct successful spying activities against companies in Australia and South Asia for about ten years without being tracked.
Different cybersecurity companies partially encountered the group’s actions in the past, but due to the Aoqin Dragon’s skillful changing of tactics, the gang remained undetected until recently.
It has been revealed that the gang used bait documents with embedded scripts (earlier these were RTF files until the respective vulnerabilities were fixed) thematically united by two main subjects: news and politics of the Asia-Pacific region and porn. This factor allowed SentinelLABS to understand the area of the hacker’s activity, and Chinese hieroglyphs in the malware code gave researchers a hint about the origin of the malefactors.
Although the techniques and practices changed throughout the decade, two things remain unchanged in the Aoqin Dragon tactics: vast usage of fake removable drives shortcuts to initiate the infection downloading via user’s unawareness, spreading to existing removable drives, and installation of backdoors.
The modern implies user clicking on the spoofed removable drive icon whereafter the download of malware, which is the “Evernote Tray Application” DLL-hijacking file begins. As a result, any connected removable disk gets a copy of the malware, and, upon the next system boot, a backdoor starts allowing hackers to go rampant throughout a compromised system.
Two backdoors, Monghall and Heyoka, are the criminals’ regular tools to implement spying malware of different nature and conduct data theft on the compromised systems.
Aoqin Dragon has been identified, but it is nothing close to being seized. Presumably, PRC authorities have no interest in stopping these hackers’ practically making nation-state threat actors out of them, just like Russian special services cooperate with Russia-originating hacker groups. Therefore, it is believed that Aoqin Dragon will go on with its attacks protected by the Chinese government.