Newly Discovered Chinese APT Operating Cyberespionage Campaign Against APAC Organizations Since 2013

Technical details of the newly reported Aoqin Dragon threat group align with observed trends in the RH-ISAC APAC community.

Posted on June 10, 2022
Lee Clark, Cyber Threat Intelligence Analyst & Writer

Context

On June 9, 2022, SentinelLabs disclosed technical details of a new Chinese-speaking cyberespionage group designated Aoqin Dragon. According to researchers at SentinelLabs, the group has been operating a cyberespionage campaign against government, education, and telecommunication organizations in Southeast Asia and Australia from at least 2013 to the present. SentinelLabs researchers also assessed with moderate confidence that the group is connected to another Chinese APT tracked by Mandiant as UNC94. The motive and targeting of the group are closely aligned to Chinese state interests.

Technical Details

Researchers found that Aoqin Dragon threat actors seek initial access to target networks via document exploits and fake removable devices. Once access is gained, the threat actors leverage DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.

The infection chain of the campaign is as follows:

Threat actors send a phishing message to trick target users into opening a malicious Word document and installing the Mongall or Heyoka backdoor
Threat actors lure target users into double-clicking a fake anti-virus link to execute malware on the target host
Threat actors plant a malicious removable device and trick target users into opening a malicious folder and installing malware on their system

Between 2012 and 2015, the group heavily exploited CVE-2012-0158 and CVE-2010-3333, vulnerabilities affecting various MS Office versions that could allow remote code execution against target organizations.

The group primarily uses malicious documents with themes related to Asia-Pacific (APAC) regional geopolitics or pornographic material.

Analysis

This research fits with established trends observed in the RH-ISAC community for the APAC region: the prevalence of sophisticated phishing, exploitation of known unpatched vulnerabilities, and the cyberespionage motivation of the group. As discussed in the recent TLP:WHITE RH-ISAC Industry Insights for the 2022 Verizon DBIR, these trends are all well documented not just by the region as a whole, but by RH-ISAC membership specifically. While the targeted industries (government, education, and telecommunications) do not align perfectly with RH-ISAC membership sectors, members in the APAC region will undoubtedly interact with major organizations in the targeted sectors as vendors or partner organizations. As such, members should remain vigilant of the technical details and indicators associated with the group.

IOCs

SentinelLabs provided the following indicators of compromise (IOCs):

Indicator	Type	Notes
a96caf60c50e7c589fefc62d89c27e6ac60cdf2c	SHA1	Mongall
ccccf5e131abe74066b75e8a49c82373414f5d95	SHA1	Mongall
5408f6281aa32c02e17003e0118de82dfa82081e	SHA1	Mongall
a37bb5caa546bc4d58e264fe55e9e9155f36d9d8	SHA1	Mongall
779fa3ebfa1af49419be4ae80b54096b5abedbf9	SHA1	Mongall
2748cbafc7f3c9a3752dc1446ee838c5c5506b23	SHA1	Mongall
eaf9fbddf357bdcf9a5c7f4ad2b9e5f81f96b6a1	SHA1	Mongall
6380b7cf83722044558512202634c2ef4bc5e786	SHA1	Mongall
31cddf48ee612d1d5ba2a7929750dee0408b19c7	SHA1	Mongall
677cdfd2d686f7148a49897b9f6c377c7d26c5e0	SHA1	Mongall
911e4e76f3e56c9eccf57e2da7350ce18b488a7f	SHA1	Mongall
c6b061b0a4d725357d5753c48dda8f272c0cf2ae	SHA1	Mongall
dc7436e9bc83deea01e44db3d5dac0eec566b28c	SHA1	Mongall
5cd555b2c5c6f6c6c8ec5a2f79330ec64fab2bb0	SHA1	Mongall
668180ed487bd3ef984d1b009a89510c42c35d06	SHA1	Mongall
28a23f1bc69143c224826962f8c50a3cf6df3130	SHA1	Mongall
ab81f911b1e0d05645e979c82f78d92b0616b111	SHA1	Mongall
47215f0f4223c1ecf8cdeb847317014dec3450fb	SHA1	Mongall
061439a3c70d7b5c3aed48b342dda9c4ce559ea6	SHA1	Mongall
aa83d81ab543a576b45c824a3051c04c18d0716a	SHA1	Mongall
43d9d286a38e9703c1154e56bd37c5c399497620	SHA1	Mongall
435f943d20ab7b3ecc292e5b16683a94e50c617e	SHA1	Mongall
94b486d650f5ca1761ee79cdff36544c0cc07fe9	SHA1	Mongall
1bef29f2ab38f0219b1dceb5d37b9bda0e9288f5	SHA1	Mongall
01fb97fbb0b864c62d3a59a10e785592bb26c716	SHA1	Mongall
03a5bee9e9686c18a4f673aadd1e279f53e1c68f	SHA1	Mongall
1270af048aadcc7a9fc0fd4a82b9864ace0b6fb6	SHA1	Mongall
e2e7b7ba7cbd96c9eec1bcb16639dec87d06b8dd	SHA1	Mongall
08d22a045f4b16a2939afe029232c6a8f74dcde2	SHA1	Mongall
96bd0d29c319286afaf35ceece236328109cb660	SHA1	Mongall
6cd9886fcb0bd3243011a1f6a2d1dc2da9721aec	SHA1	Mongall
271bd3922eafac4199322177c1ae24b1265885e8	SHA1	Mongall
e966bdb1489256538422a9eb54b94441ddf92efc	SHA1	Mongall
134d5662f909734c1814a5c0b4550e39a99f524b	SHA1	Mongall
93eb2e93972f03d043b6cf0127812fd150ca5ec5	SHA1	Mongall
a8e7722fba8a82749540392e97a021f7da11a15a	SHA1	Mongall
436a4f88a5c48c9ee977c6fbcc8a6b1cae35d609	SHA1	Mongall
ab4cd6a3a4c1a89d70077f84f79d5937b31ebe16	SHA1	Mongall
8340a9bbae0ff573a2ea103d7cbbb34c20b6027d	SHA1	Mongall
31b37127440193b9c8ecabedc214ef51a41b833c	SHA1	Mongall
ed441509380e72961b263d07409ee5987820d7ae	SHA1	Mongall
45d156d2b696338bf557a509eaaca9d4bc34ba4a	SHA1	Mongall
bac8248bb6f4a303d5c4e4ce0cd410dc447951ea	SHA1	Mongall
15350967659da8a57e4d8e19368d785776268a0e	SHA1	Mongall
008dd0c161a0d4042bdeb1f1bd62039a9224b7f0	SHA1	Mongall
7e1f5f74c1bf2790c8931f578e94c02e791a6f5f	SHA1	Mongall
16a59d124acc977559b3126f9ec93084ca9b76c7	SHA1	Mongall
38ba46a18669918dea27574da0e0941228427598	SHA1	Mongall
38ba46a18669918dea27574da0e0941228427598	SHA1	Mongall
19814580d3a3a87950fbe5a0be226f9610d459ed	SHA1	Mongall
d82ebb851db68bce949ba6151a7063dab26a4d54	SHA1	Mongall
0b2956ad5695b115b330388a60e53fb13b1d48c3	SHA1	Mongall
7fb2838b197981fbc6b5b219d115a288831c684c	SHA1	Mongall
af8209bad7a42871b143ad4c024ed421ea355766	SHA1	Mongall
72d563fdc04390ba6e7c3df058709c652c193f9c	SHA1	Mongall
db4b1507f8902c95d10b1ed601b56e03499718c5	SHA1	Mongall
f5cc1819c4792df19f8154c88ff466b725a695f6	SHA1	Mongall
86e04e6a149fd818869721df9712789d04c84182	SHA1	Mongall
a64fbd2e5e47fea174dd739053eec021e13667f8	SHA1	Mongall
d36c3d857d23c89bbdfefd6c395516a68ffa6b82	SHA1	Mongall
d15947ba6d65a22dcf8eff917678e2b386c5f662	SHA1	Mongall
5fa90cb49d0829410505b78d4037461b67935371	SHA1	Mongall
f2bf467a5e222a46cd8072043ce29b4b72f6a060	SHA1	Mongall
e061de5ce7fa02a90bbebf375bb510158c54a045	SHA1	Mongall
4e0b42591b71e35dd1edd2e27c94542f64cfa22f	SHA1	Mongall
330402c612dc9fafffca5c7f4e97d2e227f0b6d4	SHA1	Mongall
5f4cd9cd3d72c52881af6b08e58611a0fe1b35bf	SHA1	Mongall
2de1184557622fa34417d2356388e776246e748a	SHA1	Mongall
9a9aff027ad62323bdcca34f898dbcefe4df629b	SHA1	Mongall
9cd48fddd536f2c2e28f622170e2527a9ca84ee0	SHA1	Mongall
2c99022b592d2d8e4a905bacd25ce7e1ec3ed3bb	SHA1	Mongall
69e0fcdc24fe17e41ebaee71f09d390b45f9e5c2	SHA1	Mongall
a2ea8a9abf749e3968a317b5dc5b95c88edc5b6f	SHA1	Mongall
0a8e432f63cc8955e2725684602714ab710e8b0a	SHA1	Mongall
309accad8345f92eb19bd257cfc7dd8d0c00b910	SHA1	Mongall
89937567c575d38778b08289876b938a0e766f14	SHA1	Mongall
19bd1573564fe2c73e08dce4c4ad08b2161e0556	SHA1	Mongall
a1d0c96db49f1eef7fd71cbed13f2fb6d521ab6a	SHA1	Mongall
936748b63b1c9775cef17c8cdbba9f45ceba3389	SHA1	Mongall
46d54a3de7e139b191b999118972ea394c48a97f	SHA1	Mongall
4786066b29066986b35db0bfce1f58ec8051ba6b	SHA1	Mongall
b1d84d33d37526c042f5d241b94f8b77e1aa8b98	SHA1	Mongall
7bb500f0c17014dd0d5e7179c52134b849982465	SHA1	Mongall
d1d3219006fdfd4654c52e84051fb2551de2373a	SHA1	Mongall
0ffa5e49f17bc722c37a08041e6d80ee073d0d8f	SHA1	Mongall
dceecf543f15344b875418ad086d9706bfef1447	SHA1	Mongall
fa177d9bd5334d8e4d981a5a9ab09b41141e9dcc	SHA1	Mongall
07aab5761d56159622970a0213038a62d53743c2	SHA1	Mongall
d83dde58a510bdd3243038b1f1873e7da3114bcf	SHA1	Mongall
a0da713ee28a17371691aaa901149745f965eb90	SHA1	Mongall
c5b644a33fb027900111d5d4912e28b7dcce88ff	SHA1	Mongall
db5437fec902cc1bcbad4bef4d055651e9926a89	SHA1	Mongall
ff42d2819c1a73e0032df6c430f0c67582adba74	SHA1	Mongall
3b2d858c682342127769202a806e8ab7f1e43173	SHA1	Mongall
c08bf3ae164e8e9d1d9f51dffcbe7039dce4c643	SHA1	Mongall
f41d1966285667e74a419e404f43c7693f3b0383	SHA1	Mongall
3ccb546f12d9ed6ad7736c581e7a00c86592e5dd	SHA1	Mongall
904556fed1aa00250eee1a69d68f78c4ce66a8dc	SHA1	Mongall
bd9dec094c349a5b7d9690ab1e58877a9f001acf	SHA1	Mongall
87e6ab15f16b1ed3db9cc63d738bf9d0b739a220	SHA1	Mongall
f8fc307f7d53b2991dea3805f1eebf3417a7082b	SHA1	Mongall
ece4c9fc15acd96909deab3ff207359037012fd5	SHA1	Mongall
7fdfec70c8daae07a29a2c9077062e6636029806	SHA1	Mongall
17d548b2dca6625271649dc93293fdf998813b21	SHA1	Mongall
6a7ac7ebab65c7d8394d187aafb5d8b3f7994d21	SHA1	Mongall
fee78ccadb727797ddf51d76ff43bf459bfa8e89	SHA1	Mongall
4bf58addcd01ab6eebca355a5dda819d78631b44	SHA1	Mongall
fd9f0e40bf4f7f975385f58d120d07cdd91df330	SHA1	Mongall
a76c21af39b0cc3f7557de645e4aaeccaf244c1e	SHA1	Mongall
7ff9511ebe6f95fc73bc0fa94458f18ee0fb395d	SHA1	Mongall
97c5003e5eacbc8f5258b88493f148f148305df5	SHA1	Mongall
f92edf91407ab2c22f2246a028e81cf1c99ce89e	SHA1	Mongall
d932f7d11f8681a635e70849b9c8181406675930	SHA1	Mongall
b0b13e9445b94ed2b69448044fbfd569589f8586	SHA1	Mongall
b194b26de8c1f31b0c075ceb0ab1e80d9c110efc	SHA1	Mongall
df26b43439c02b8cd4bff78b0ea01035df221f68	SHA1	Mongall
60bd17aa94531b89f80d7158458494b279be62b4	SHA1	Mongall
33abee43acfe25b295a4b2accfaf33e2aaf2b879	SHA1	Mongall
c87a8492de90a415d1fbe32becbafef5d5d8eabb	SHA1	Mongall
68b731fcb6d1a88adf30af079bea8efdb0c2ee6e	SHA1	Mongall
cf7c5d32d73fb90475e58597044e7f20f77728af	SHA1	Mongall
1ab85632e63a1e4944128619a9dafb6405558863	SHA1	Mongall
1f0d3c8e373c529a0c3e0172f5f0fb37e1cdd290	SHA1	Mongall
f69050c8bdcbb1b5f16ca069e231b66d52c0a652	SHA1	Mongall
6ff079e886cbc6be0f745b044ee324120de3dab2	SHA1	Mongall
8c90aa0a521992d57035f00d3fbdfd0fa7067574	SHA1	Mongall
5e32a5a5ca270f69a3bf4e7dd3889b0d10d90ec2	SHA1	Mongall
0db3626a8800d421c8b16298916a7655a73460de	SHA1	Mongall
01751ea8ac4963e40c42acfa465936cbe3eed6c2	SHA1	Mongall
6b3032252b1f883cbe817fd846181f596260935b	SHA1	Dropper
741168d01e7ea8a2079ee108c32893da7662bb63	SHA1	Dropper
b9cc2f913c4d2d9a602f2c05594af0148ab1fb03	SHA1	Dropper
c7e6f7131eb71d2f0e7120b11abfaa3a50e2b19e	SHA1	Dropper
ae0fdf2ab73e06c0cd04cf79b9c5a9283815bacb	SHA1	Dropper
67f2cd4f1a60e1b940494812cdf38cd7c0290050	SHA1	Dropper
aca99cfd074ed79c13f6349bd016d5b65e73c324	SHA1	Dropper
ba7142e016d0e5920249f2e6d0f92c4fadfc7244	SHA1	Dropper
98a907b18095672f92407d92bfd600d9a0037f93	SHA1	Dropper
afaffef28d8b6983ada574a4319d16c688c2cb38	SHA1	Dropper
98e2afed718649a38d9daf10ac792415081191fe	SHA1	Dropper
bc32e66a6346907f4417dc4a81d569368594f4ae	SHA1	Dropper
8d569ac92f1ca8437397765d351302c75c20525b	SHA1	Document exploit
5c32a4e4c3d69a95e00a981a67f5ae36c7aae05e	SHA1	Document exploit
d807a2c01686132f5f1c359c30c9c5a7ab4d31c2	SHA1	Document exploit
155db617c6cf661507c24df2d248645427de492c	SHA1	Modified Heyoka
7e6870a527ffb5235ee2b4235cd8e74eb0f69d0e	SHA1	Modified Heyoka
2f0ea0a0a2ffe204ec78a0bdf1f5dee372ec4d42	SHA1	DLL-test
041d9b089a9c8408c99073c9953ab59bd3447878	SHA1	DLL-test
1edada1bb87b35458d7e059b5ca78c70cd64fd3f	SHA1	DLL-test
4033c313497c898001a9f06a35318bb8ed621dfb	SHA1	DLL-test
683a3e0d464c7dcbe5f959f8fd82d738f4039b38	SHA1	DLL-test
97d30b904e7b521a9b7a629fdd1e0ae8a5bf8238	SHA1	DLL-test
53525da91e87326cea124955cbc075f8e8f3276b	SHA1	DLL-test
73ac8512035536ffa2531ee9580ef21085511dc5	SHA1	DLL-test
28b8843e3e2a385da312fd937752cd5b529f9483	SHA1	Installer
cd59c14d46daaf874dc720be140129d94ee68e39	SHA1	Upan component
10[.]100[.]0[.]34	IP Address	Mongall C2 Server (Internal IPs)
10[.]100[.]27[.]4	IP Address	Mongall C2 Server (Internal IPs)
172[.]111[.]192[.]233	IP Address	Mongall C2 Server
59[.]188[.]234[.]233	IP Address	Mongall C2 Server
64[.]27[.]4[.]157	IP Address	Mongall C2 Server
64[.]27[.]4[.]19	IP Address	Mongall C2 Server
67[.]210[.]114[.]99	IP Address	Mongall C2 Server
back[.]satunusa[.]org	Domain	Mongall C2 Server
baomoi[.]vnptnet[.]info	Domain	Mongall C2 Server
bbw[.]fushing[.]org	Domain	Mongall C2 Server
bca[.]zdungk[.]com	Domain	Mongall C2 Server
bkav[.]manlish[.]net	Domain	Mongall C2 Server
bkav[.]welikejack[.]com	Domain	Mongall C2 Server
bkavonline[.]vnptnet[.]info	Domain	Mongall C2 Server
bush2015[.]net	Domain	Mongall C2 Server
cl[.]weststations[.]com	Domain	Mongall C2 Server
cloundvietnam[.]com	Domain	Mongall C2 Server
cpt[.]vnptnet[.]inf	Domain	Mongall C2 Server
dns[.]lioncity[.]top	Domain	Mongall C2 Server
dns[.]satunusa[.]org	Domain	Mongall C2 Server
dns[.]zdungk[.]com	Domain	Mongall C2 Server
ds[.]vdcvn[.]com	Domain	Mongall C2 Server
ds[.]xrayccc[.]top	Domain	Mongall C2 Server
facebookmap[.]top	Domain	Mongall C2 Server
fbcl2[.]adsoft[.]name	Domain	Mongall C2 Server
fbcl2[.]softad[.]net	Domain	Mongall C2 Server
flower2[.]yyppmm[.]com	Domain	Mongall C2 Server
game[.]vietnamflash[.]com	Domain	Mongall C2 Server
hello[.]bluesky1234[.]com	Domain	Mongall C2 Server
ipad[.]vnptnet[.]info	Domain	Mongall C2 Server
ks[.]manlish[.]net	Domain	Mongall C2 Server
lepad[.]fushing[.]org	Domain	Mongall C2 Server
lllyyy[.]adsoft[.]name	Domain	Mongall C2 Server
lucky[.]manlish[.]net	Domain	Mongall C2 Server
ma550[.]adsoft[.]name	Domain	Mongall C2 Server
ma550[.]softad[.]net	Domain	Mongall C2 Server
mail[.]comnnet[.]net	Domain	Mongall C2 Server
mail[.]tiger1234[.]com	Domain	Mongall C2 Server
mail[.]vdcvn[.]com	Domain	Mongall C2 Server
mass[.]longvn[.]net	Domain	Mongall C2 Server
mcafee[.]bluesky1234[.]com	Domain	Mongall C2 Server
media[.]vietnamflash[.]com	Domain	Mongall C2 Server
mil[.]dungk[.]com	Domain	Mongall C2 Server
mil[.]zdungk[.]com	Domain	Mongall C2 Server
mmchj2[.]telorg[.]net	Domain	Mongall C2 Server
mmslsh[.]tiger1234[.]com	Domain	Mongall C2 Server
mobile[.]vdcvn[.]com	Domain	Mongall C2 Server
moit[.]longvn[.]net	Domain	Mongall C2 Server
movie[.]vdcvn[.]com	Domain	Mongall C2 Server
news[.]philstar2[.]com	Domain	Mongall C2 Server
news[.]welikejack[.]com	Domain	Mongall C2 Server
npt[.]vnptnet[.]info	Domain	Mongall C2 Server
ns[.]fushing[.]org	Domain	Mongall C2 Server
nycl[.]neverdropd[.]com	Domain	Mongall C2 Server
phcl[.]followag[.]org	Domain	Mongall C2 Server
phcl[.]neverdropd[.]com	Domain	Mongall C2 Server
pna[.]adsoft[.]name	Domain	Mongall C2 Server
pnavy3[.]neverdropd[.]com	Domain	Mongall C2 Server
sky[.]bush2015[.]net	Domain	Mongall C2 Server
sky[.]vietnamflash[.]com	Domain	Mongall C2 Server
tcv[.]tiger1234[.]com	Domain	Mongall C2 Server
telecom[.]longvn[.]net	Domain	Mongall C2 Server
telecom[.]manlish[.]net	Domain	Mongall C2 Server
th-y3[.]adsoft[.]name	Domain	Mongall C2 Server
th550[.]adsoft[.]name	Domain	Mongall C2 Server
th550[.]softad[.]net	Domain	Mongall C2 Server
three[.]welikejack[.]com	Domain	Mongall C2 Server
thy3[.]softad[.]net	Domain	Mongall C2 Server
vdcvn[.]com	Domain	Mongall C2 Server
video[.]philstar2[.]com	Domain	Mongall C2 Server
viet[.]vnptnet[.]info	Domain	Mongall C2 Server
viet[.]zdungk[.]com	Domain	Mongall C2 Server
vietnam[.]vnptnet[.]info	Domain	Mongall C2 Server
vietnamflash[.]com	Domain	Mongall C2 Server
vnet[.]fushing[.]org	Domain	Mongall C2 Server
vnn[.]bush2015[.]net	Domain	Mongall C2 Server
vnn[.]phung123[.]com	Domain	Mongall C2 Server
webmail[.]philstar2[.]com	Domain	Mongall C2 Server
www[.]bush2015[.]net	Domain	Mongall C2 Server
yok[.]fushing[.]org	Domain	Mongall C2 Server
yote[.]dellyou[.]com	Domain	Mongall C2 Server
zing[.]vietnamflash[.]com	Domain	Mongall C2 Server
zingme[.]dungk[.]com	Domain	Mongall C2 Server
zingme[.]longvn[.]net	Domain	Mongall C2 Server
zw[.]dinhk[.]net	Domain	Mongall C2 Server
zw[.]phung123[.]com	Domain	Mongall C2 Server
45[.]77[.]11[.]148	IP Address	Modified Heyoka Server
cvb[.]hotcup[.]pw	Domain	Modified Heyoka Server
dns[.]foodforthought1[.]com	Domain	Modified Heyoka Server
test[.]facebookmap[.]top	Domain	Modified Heyoka Server

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

Newly Discovered Chinese APT Operating Cyberespionage Campaign Against APAC Organizations Since 2013

Technical details of the newly reported Aoqin Dragon threat group align with observed trends in the RH-ISAC APAC community.

Context

Technical Details

Analysis

Subscribe to the Blog

More Recent Blog Posts

Financially Motivated Threat Actor, SilkSpecter, Targeting Black Friday Shoppers

Iranian TA455 Initiates Dream Job Campaign to Target Aviation and Other Critical Industries with Malware

Midnight Blizzard Conducts Large-Scale Spear-Phishing Campaign Utilizing RDP Files