Aoqin Dragon

Executive Summary

• Aoqin Dragon, a threat actor SentinelLabs has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
• Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
• Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
• Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential association to UNC94 (Mandiant).

Overview

SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. We assess that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We track this activity as ‘Aoqin Dragon’.

The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.

Threat Actor Infection Chain

Throughout our analysis of Aoqin Dragon campaigns, we observed a clear evolution in their infection chain and TTPs. We divide their infection strategy into three parts.

1. Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.
2. Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
3. Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.

Initial Access via Exploitation of Old and Unpatched Vulnerabilities

During 2012 to 2015, Aoqin Dragon relied heavily on CVE-2012-0158 and CVE-2010-3333 to compromise their targets. In 2014, FireEye published a blog detailing related activity using lure documents themed around the disappearance of Malaysia Airlines Flight MH370 to conduct their attacks. Although those vulnerabilities are very old and were patched before being deployed by Aoqin Dragon, this kind of RTF-handling vulnerability decoy was very common in that period.

There are three interesting points that we discovered from these decoy documents. First, most decoy content is themed around targets who are interested in APAC political affairs. Second, the actors made use of lure documents themed to pornographic topics to entice the targets. Third, in many cases, the documents are not specific to one country but rather the entirety of Southeast Asia.

APAC Themed Lure Document

Pornographic-themed Lure Document

Executables Masked With Fake Icons

The threat actor developed executable files masked with document file icons such as Windows folders and Anti-Virus vendor icons, acting as droppers to execute a backdoor and connect to the C2 server. Although executable files with fake file icons have been in use by a variety of actors, it remains an effective tool especially for APT targets. Combined with “interesting” email content and a catchy file name, users can be socially engineered into clicking on the file.

Executable dropper with different fake security product icons

Typically, a script containing a rar command is embedded in the executable dropper with different fake security product icons. Based on the script contained in the executable, we can identify the main target type of document formats they were trying to find, such as Microsoft Word documents.

rar.exe a -apC -r -ed -tk -m5 -dh -tl -hpThis0nePiece -ta20180704 C:\DOCUME~1\ALLUSE~1\DRM\Media\B9CC6F75.ldf C:\*.doc C:\*.DOCX

Moreover, the dropper employs a worm infection strategy using a removable device to carry the malware into the target’s host and facilitate a breach into the secure network environment. We also found the same dropper deploying different backdoors including the Mongall backdoor and a modified Heyoka backdoor.

Removable Device as an Initial Vector

From 2018 to present, this actor has also been observed using a fake removable device as an initial infection vector. Over time, the actor upgraded the malware to protect it from being detected and removed by security products.

Here’s a summary of the attack chain of recent campaigns:

1. A Removable Disk shortcut file is made which contains a specific path to initiate the malware.
2. When a user clicks the fake device, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe.
3. After executing the loader, it will check if it is in any attached removable devices.
4. If the loader is not in the removable disk, it will copy all the modules under "%USERPROFILE%\AppData\Roaming\EverNoteService\", which includes normal files, the backdoor loader and an encrypted backdoor payload.
5. The malware sets the auto start function with the value “EverNoteTrayUService”. When the user restarts the computer, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious loader.
6. The loader will check the file path first and decrypt the payloads. There are two payloads in this attack chain: the first payload is the spreader, which copies all malicious files to removable devices; the second one is an encrypted backdoor which injects itself into rundll32’s memory.

Newest infection chain flow

Using USB shortcut techniques to spread the malware and infect target victims

Use a shortcut file to fake removable disc icon and change Evernote application name to RemovableDisc.exe

The spreader component will try to find the removable device in the victim’s environment. This malware component will copy all the malicious modules to any removable device to spread the malware in the target’s network environment, excluding Drive A. The threat actor names this component “upan”, which we observe in the malware’s PDB strings.

C:\Users\john\Documents\Visual Studio 2010\Projects\upan_dll_test\Debug\upan.pdb

Malware Analysis

Aoqin Dragon rely heavily on the DLL hijacking technique to compromise targets and run their malware of choice. This includes their newest malware loader, Mongall backdoor, and a modified Heyoka backdoor.

DLL-test.dll Loader

The DLL-test.dll loader is notable because it is used to initiate the infection chain. When a victim has been compromised, DLL-test.dll will check that the host drive is not A and test whether the drive is removable media or not. After these checks are complete, the loader opens the Removable Disk folder to simulate normal behavior. It then copies all modules from the removable drive to the “EverNoteService” folder. The loader will set up an auto start for “EverNoteTrayService” as a form of persistence following reboots.

After decrypting the encrypted payload, DLL-test.dll will execute rundll32.exe and run specific export functions. The loader injects the decrypted payload into memory and runs it persistently. The payload we found in this operation included a Mongall backdoor and a modified Heyoka backdoor.

We found that the code injection logic is identical to that in the book WINDOWS黑客编程技术详解 (Windows Hacking Programming Techniques Explained), Chapter 4, Section 3, which describes how to use memory to directly execute a DLL file. We also found the same code on GitHub. A debug string inside the DLL-test loader provides further evidence that this is the source of the code in the malware.

C:\users\john\desktop\af\dll_test_hj3\dll_test\memloaddll.cpp
C:\users\john\desktop\af\dll_test_hj3 -不过uac 不写注册表\dll_test\memloaddll.cpp
C:\users\john\desktop\af\dll_test - upan -单独 - 老黑的版本\dll_test\memloaddll.cpp

As stated above, the debug strings inside DLL-test.dll loader provide interesting information about Aoqin Dragon TTPs. The loaders contain both debug strings and embedded PDB strings that give us further information of this loader’s features and which backdoor will be decrypted. For instance, “DLL_test loader for Mongall”, “DLL_test loader for Mongall but can’t bypass UAC and can’t add itself to registry”, “DLL-test loader for upan component” and “DLL-test for DnsControl”, which is a modified Heyoka backdoor.

C:\Documents and Settings\Owner\桌面\DLL_test\Release\DLL_test.pdb
C:\Users\john\Desktop\af\DLL_test_hj3\Debug\DLL_test.pdb
C:\Users\john\Desktop\af\DLL_test - upan -单独 - 老黑的版本\Debug\DLL_test.pdb
C:\Users\john\Desktop\af\DLL_test - upan -单独 - 老黑的版本\Release\DLL_test.pdb
C:\Users\john\Desktop\af\DLL_test_hj3 -不过UAC 不写注册表\Debug\DLL_test.pdb
D:\2018\DnsControl\DNS20180108\DLL_test\Release\DLL_test.pdb

Mongall Backdoor

Mongall is a small backdoor going back to 2013, first described in a report by ESET. According to the report, the threat actor was trying to target the Telecommunications Department and the Vietnamese government. More recently, Aoqin Dragon has been reported targeting Southeast Asia with an upgraded Mongall encryption protocol and Themida packer.

Mongall backdoor has four different mutexes and different notes in each backdoors – notes are shown in the IOC table. Based on the notes, we can estimate malware creation time, intended targets, Mongall backdoor versions and related C2 domain name.

The backdoor mutex and information collection

The actors name this backdoor HJ-client.dll, and the backdoor name matches the PDB strings mentioned earlier. In addition, there are some notes containing “HJ” strings inside the backdoor.

Although Mongall is not particularly feature rich, it is still an effective backdoor. It can create a remote shell, upload files to the victim’s machine and download files to the attacker’s C2. Most important of all, this backdoor embedded three C2 servers for communication. Below is the Mongall backdoor function description and command code.

Mongall backdoor function capability

We discovered that the Mongall backdoor’s network transmission logic could be found on the Chinese Software Developer Network (CSDN). Compared to the old Mongall backdoor, the new version upgrades the encryption mechanism. However, new versions of Mongall still use GET protocol to send the information back with RC4 to encrypt or base64 to encode the victim machine’s information. There is another interesting finding when we analyze Mongall backdoor: the encryption or encode logic is compared to the mutex of Mongall. Here is the table of mutex and transform data logic.

Faking a C2 server allowed us to capture Mongall beacon messages and develop a Python decryption script to reveal each version of the message. Alongside this report, we are publicly releasing the script here. Below shows the encrypted strings and description beacon information.

Decrypting the embedded beacon information

Modified Heyoka Backdoor

We also observed another backdoor used by this threat actor. This backdoor is totally different from Mongall, as we found it is based on the Heyoka open source project. Heyoka is a proof-of-concept of an exfiltration tool which uses spoofed DNS requests to create a bidirectional tunnel. The threat actors modified and redesigned this tool to be a custom backdoor using DLL injection technique to deploy it in the victim’s environment. Simplified Chinese characters can be found in its debug log.

Left:the modified backdoor information; Right: the Heyoka source code

Debug information with simplified Chinese characters

This backdoor was named srvdll.dll by its developers. They not only expanded its functionality but also added two hardcoded C2s. The backdoor checks if it is run as system service or not, to make sure it has sufficient privileges and to keep itself persistent. The modified Heyoka backdoor is much more powerful than Mongall. Although both have shell ability, the modified Heyoka backdoor is generally closer to a complete backdoor product. The commands available in the modified Heyoka backdoor are tabulated below.

Hardcoded command and control server in modified Heyoka backdoor

Backdoor with the DNS tunneling connection

Attribution

Throughout the analysis of Aoqin Dragon operations, we came across several artifacts linking the activity to a Chinese-speaking APT group as detailed in the following sections.

Infrastructure

One of Mongall’s backdoors was observed by Unit42 in 2015. They claim the president of Myanmar’s website had been used in a watering hole attack on December 24, 2014. The attacker injected a JavaScript file with a malicious iframe to exploit the browsers of website visitors. In addition, they were also aware that another malicious script had been injected into the same website in November 2014, leveraging CVE-2014-6332 to download a trojan horse to the target’s host.

In 2013, there was a News talk about this group and the results of a police investigation. Police retrieved information from the C2 server and phishing mail server operators located in Beijing, China. The two primary backdoors used in this operation have overlapping C2 infrastructure, and most of the C2 servers can be attributed to Chinese-speaking users.

Two major backdoor C2s overlap

C2 attributed to Chinese-speaking users

Targeting and Motives

The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. We primarily observed Aoqin Dragon targeting government, education, and telecommunication organizations in Southeast Asia and Australia.

Considering this long-term effort and continuous targeted attacks for the past few years, we assess the threat actor’s motives are espionage-oriented.

Conclusion

Aoqin Dragon is an active cyberespionage group that has been operating for nearly a decade. We have observed the Aoqin Dragon group evolve TTPs several times in order to stay under the radar. We fully expect that Aoqin Dragon will continue conducting espionage operations. In addition, we assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network. SentinelLabs continues to track this activity cluster to provide insight into their evolution.

Indicators of Compromise

Mongall C2 Servers: IP Addresses 10[.]100[.]0[.]34 (Internal IPs) 10[.]100[.]27[.]4 (Internal IPs) 172[.]111[.]192[.]233 59[.]188[.]234[.]233 64[.]27[.]4[.]157 64[.]27[.]4[.]19 67[.]210[.]114[.]99

Mongall C2 Servers: Domains back[.]satunusa[.]org baomoi[.]vnptnet[.]info bbw[.]fushing[.]org bca[.]zdungk[.]com bkav[.]manlish[.]net bkav[.]welikejack[.]com bkavonline[.]vnptnet[.]info bush2015[.]net cl[.]weststations[.]com cloundvietnam[.]com cpt[.]vnptnet[.]inf dns[.]lioncity[.]top dns[.]satunusa[.]org dns[.]zdungk[.]com ds[.]vdcvn[.]com ds[.]xrayccc[.]top facebookmap[.]top fbcl2[.]adsoft[.]name fbcl2[.]softad[.]net flower2[.]yyppmm[.]com game[.]vietnamflash[.]com hello[.]bluesky1234[.]com ipad[.]vnptnet[.]info ks[.]manlish[.]net lepad[.]fushing[.]org lllyyy[.]adsoft[.]name lucky[.]manlish[.]net ma550[.]adsoft[.]name ma550[.]softad[.]net mail[.]comnnet[.]net mail[.]tiger1234[.]com mail[.]vdcvn[.]com mass[.]longvn[.]net mcafee[.]bluesky1234[.]com media[.]vietnamflash[.]com mil[.]dungk[.]com mil[.]zdungk[.]com mmchj2[.]telorg[.]net mmslsh[.]tiger1234[.]com mobile[.]vdcvn[.]com moit[.]longvn[.]net movie[.]vdcvn[.]com news[.]philstar2[.]com news[.]welikejack[.]com npt[.]vnptnet[.]info ns[.]fushing[.]org nycl[.]neverdropd[.]com phcl[.]followag[.]org phcl[.]neverdropd[.]com pna[.]adsoft[.]name pnavy3[.]neverdropd[.]com sky[.]bush2015[.]net sky[.]vietnamflash[.]com tcv[.]tiger1234[.]com telecom[.]longvn[.]net telecom[.]manlish[.]net th-y3[.]adsoft[.]name th550[.]adsoft[.]name th550[.]softad[.]net three[.]welikejack[.]com thy3[.]softad[.]net vdcvn[.]com video[.]philstar2[.]com viet[.]vnptnet[.]info viet[.]zdungk[.]com vietnam[.]vnptnet[.]info vietnamflash[.]com vnet[.]fushing[.]org vnn[.]bush2015[.]net vnn[.]phung123[.]com webmail[.]philstar2[.]com www[.]bush2015[.]net yok[.]fushing[.]org yote[.]dellyou[.]com zing[.]vietnamflash[.]com zingme[.]dungk[.]com zingme[.]longvn[.]net zw[.]dinhk[.]net zw[.]phung123[.]com

Modified Heyoka C2 Server: IP Address 45[.]77[.]11[.]148

Modified Heyoka C2 Server: Domain cvb[.]hotcup[.]pw dns[.]foodforthought1[.]com test[.]facebookmap[.]top

MITRE ATT&CK TTPs