A brand new superior persistent risk (APT) actor dubbed Aoqin Dragon and reportedly based mostly in China, has been linked to a number of hacking assaults towards authorities, schooling and telecom entities primarily in Southeast Asia and Australia since 2013.
The information comes from risk researchers Sentinel Labs, who revealed a weblog put up on Thursday describing the decade-long occasions.
“We assess that the risk actor’s major focus is espionage and pertains to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam,” wrote Joey Chen, risk intelligence researcher at SentinelOne.
In response to Sentinel Labs, Aoqin Dragon closely depends on utilizing doc lures to contaminate customers.
“There are three attention-grabbing factors that we found from these decoy paperwork,” Chen wrote.
“First, most decoy content material is themed round targets who’re concerned about APAC political affairs. Second, the actors made use of lure paperwork themed to pornographic matters to entice the targets. Third, in lots of circumstances, the paperwork should not particular to 1 nation however reasonably the whole lot of Southeast Asia.”
From a technical standpoint, the malware makes use of a doc exploit, tricking the person into opening a weaponized Phrase doc to put in a backdoor. Alternatively, customers are lured into double-clicking a pretend antivirus program that executes malware within the sufferer’s host.
The malware additionally repeatedly makes use of USB shortcut strategies to put in itself onto exterior gadgets and infect extra targets. As soon as within the system, the malware has been noticed to function by way of two fundamental backdoors.
“Assaults attributable to Aoqin Dragon sometimes drop one in every of two backdoors, Mongall and a modified model of the open supply Heyoka undertaking,” Chen defined.
By way of attribution, Sentinel Labs mentioned they got here throughout a number of artifacts linking the exercise to a Chinese language-speaking APT group, together with overlapping infrastructure with a hacking assault focusing on Myanmar’s presidential web site in 2014.
“The focusing on of Aoqin Dragon intently aligns with the Chinese language authorities’s political pursuits,” Chen mentioned.
“Contemplating this long-term effort and steady focused assaults for the previous few years, we assess the risk actor’s motives are espionage-oriented.”
The Sentinel Labs advisory concludes by warning the worldwide cybersecurity about Aoqin Dragon additional.
“We’ve noticed the Aoqin Dragon group evolve TTPs a number of occasions with a view to keep beneath the radar. We totally count on that Aoqin Dragon will proceed conducting espionage operations. As well as, we assess it’s possible they may also proceed to advance their tradecraft, discovering new strategies of evading detection and keep longer of their goal community.”