Researchers have discovered a stealthy espionage campaign by a most likely China-backed hacking group that has targeted government, education and telecommunication organizations since 2013.
The attackers used a range of techniques to infect targets with malware, such as via malicious Word documents, fake removable devices leading users to malicious folders, and fake antivirus vendor icons that led to executable files.
The group relied on users’ familiarity with the Windows folder icons and the File Explorer interface to dupe victims into running malicious executables. Dubbed Aoqin Dragon by researchers at SentinelLabs, the group’s prime targets were organizations in the Asia Pacific (APAC) region, including Australia, Cambodia, Hong Kong, Singapore, and Vietnam.
SentinelLabs researcher Joey Chen believes Aoqin Dragon is a small Chinese-speaking team that continues to operate today and has used two backdoors that it continues to improve with richer functionality and greater stealth.
These were both critical remote code execution flaws that abused Office support of Rich Text Format (.rtf) files. Microsoft released patches years before the group started using them in decoy documents.
Chen notes a dropper used by the group had “worm functionality”, offered by a removable device, that allowed it to spread within the target’s network and to deploy two backdoors.
Since 2018, the group has used a fake removable USB device shortcut as the initial point of infection. Clicking on the shortcut icon installs the malicious loader, which has two payloads. The first copies all malicious files to removable devices for spreading on a network, and the second is an encrypted backdoor that can create a remote shell, upload files to the victim’s machine and download files to the attacker’s command and control servers.
“Most important of all, this backdoor embedded three C2 servers for communication,” Chen notes.
The group’s other backdoor is a modified version of the Heyoka open-source project, which uses spoofed Domain Name System (DNS) requests to create a bidirectional tunnel.
This custom backdoor is much more powerful, according to Chen.
“Although both have shell ability, the modified Heyoka backdoor is generally closer to a complete backdoor product,” he explains.
SentinalLabs has published indicators of compromise that defenders can use to detect the threat on their networks.