Aoqin Dragon – Chinese APT lures with Pornographs

Aoqin Dragon, a Chinese-linked advanced persistent threat (APT) has been uncovered that primarily targeting organizations in Southeast Asia and Australia, including government, education, and telecommunication organizations.

According to researchers, Aoqin Dragon has a history of using document lures with pornographic themes to infect users and uses USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors,  and a modified version of the open source Heyoka project.

The  threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Based on an analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, it has been believed that the threat actor is a small Chinese-speaking team with potential association to UNC94.

Attack Chain

1. A Removable Disk shortcut file is made which contains a specific path to initiate the malware.
2. When a user clicks the fake device, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe.
3. After executing the loader, it will check if it is in any attached removable devices.
4. If the loader is not in the removable disk, it will copy all the modules under “%USERPROFILE%\AppData\Roaming\EverNoteService\”, which includes normal files, the backdoor loader, and an encrypted backdoor payload.
5. The malware sets the auto start function with the value “EverNoteTrayUService”. When the user restarts the computer, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious loader.
6. The loader will check the file path first and decrypt the payloads. There are two payloads in this attack chain: the first payload is the spreader, which copies all malicious files to removable devices; the second one is an encrypted backdoor which injects itself into rundll32’s memory.

The Chinese government has always done remarkable work in highly specific targeting designed to infect their espionage targets. They are spending real effort to do the research to make sure they can discretely infect organizations and operate for extended periods of time without being discovered.

Throughout the firm’s analysis of Aoqin Dragon campaigns, Researchers observed a clear evolution in their infection chain and TTPs. Researchers divide their infection strategy into three parts.

• Using a  and tricking the user into opening a weaponized Word document to install a backdoor.
• Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
• Forging a fake removable device to lure users into opening the wrong folder and installing the malware successfully on their system.

The threat group has evolved TTPs several times and will continue to find new methods to evade detection and stay longer in their target network and continue to conduct espionage operations.

This research was done by Sentinel labs

Indicators of Compromise

• a96caf60c50e7c589fefc62d89c27e6ac60cdf2c     
• ccccf5e131abe74066b75e8a49c82373414f5d95 
• 5408f6281aa32c02e17003e0118de82dfa82081e                
• a37bb5caa546bc4d58e264fe55e9e9155f36d9d8                
• 779fa3ebfa1af49419be4ae80b54096b5abedbf9 
• 2748cbafc7f3c9a3752dc1446ee838c5c5506b23  
• eaf9fbddf357bdcf9a5c7f4ad2b9e5f81f96b6a1    
• 6380b7cf83722044558512202634c2ef4bc5e786                
• 31cddf48ee612d1d5ba2a7929750dee0408b19c7               
• 677cdfd2d686f7148a49897b9f6c377c7d26c5e0 
• 911e4e76f3e56c9eccf57e2da7350ce18b488a7f  
• c6b061b0a4d725357d5753c48dda8f272c0cf2ae 
• dc7436e9bc83deea01e44db3d5dac0eec566b28c               
• 5cd555b2c5c6f6c6c8ec5a2f79330ec64fab2bb0   
• 668180ed487bd3ef984d1b009a89510c42c35d06               
• 28a23f1bc69143c224826962f8c50a3cf6df3130   
• ab81f911b1e0d05645e979c82f78d92b0616b111               
• 47215f0f4223c1ecf8cdeb847317014dec3450fb  
• 061439a3c70d7b5c3aed48b342dda9c4ce559ea6               
• aa83d81ab543a576b45c824a3051c04c18d0716a               
• 43d9d286a38e9703c1154e56bd37c5c399497620              
• 435f943d20ab7b3ecc292e5b16683a94e50c617e               
• 94b486d650f5ca1761ee79cdff36544c0cc07fe9   
• 1bef29f2ab38f0219b1dceb5d37b9bda0e9288f5 
• 01fb97fbb0b864c62d3a59a10e785592bb26c716                
• 03a5bee9e9686c18a4f673aadd1e279f53e1c68f 
• 1270af048aadcc7a9fc0fd4a82b9864ace0b6fb6   
• e2e7b7ba7cbd96c9eec1bcb16639dec87d06b8dd              
• 08d22a045f4b16a2939afe029232c6a8f74dcde2 
• 96bd0d29c319286afaf35ceece236328109cb660 
• 6cd9886fcb0bd3243011a1f6a2d1dc2da9721aec 
• 271bd3922eafac4199322177c1ae24b1265885e8               
• e966bdb1489256538422a9eb54b94441ddf92efc               
• 134d5662f909734c1814a5c0b4550e39a99f524b                
• 93eb2e93972f03d043b6cf0127812fd150ca5ec5 
• a8e7722fba8a82749540392e97a021f7da11a15a                
• 436a4f88a5c48c9ee977c6fbcc8a6b1cae35d609  
• ab4cd6a3a4c1a89d70077f84f79d5937b31ebe16                
• 8340a9bbae0ff573a2ea103d7cbbb34c20b6027d                
• 31b37127440193b9c8ecabedc214ef51a41b833c                
• ed441509380e72961b263d07409ee5987820d7ae             
• 45d156d2b696338bf557a509eaaca9d4bc34ba4a               
• bac8248bb6f4a303d5c4e4ce0cd410dc447951ea                
• 15350967659da8a57e4d8e19368d785776268a0e             
• 008dd0c161a0d4042bdeb1f1bd62039a9224b7f0               
• 7e1f5f74c1bf2790c8931f578e94c02e791a6f5f    
• 16a59d124acc977559b3126f9ec93084ca9b76c7                
• 38ba46a18669918dea27574da0e0941228427598              
• 38ba46a18669918dea27574da0e0941228427598              
• 19814580d3a3a87950fbe5a0be226f9610d459ed               
• d82ebb851db68bce949ba6151a7063dab26a4d54             
• 0b2956ad5695b115b330388a60e53fb13b1d48c3              
• 7fb2838b197981fbc6b5b219d115a288831c684c                
• af8209bad7a42871b143ad4c024ed421ea355766               
• 72d563fdc04390ba6e7c3df058709c652c193f9c  
• db4b1507f8902c95d10b1ed601b56e03499718c5              
• f5cc1819c4792df19f8154c88ff466b725a695f6     
• 86e04e6a149fd818869721df9712789d04c84182                
• a64fbd2e5e47fea174dd739053eec021e13667f8 
• d36c3d857d23c89bbdfefd6c395516a68ffa6b82  
• d15947ba6d65a22dcf8eff917678e2b386c5f662  
• 5fa90cb49d0829410505b78d4037461b67935371              
• f2bf467a5e222a46cd8072043ce29b4b72f6a060 
• e061de5ce7fa02a90bbebf375bb510158c54a045                
• 4e0b42591b71e35dd1edd2e27c94542f64cfa22f 
• 330402c612dc9fafffca5c7f4e97d2e227f0b6d4     
• 5f4cd9cd3d72c52881af6b08e58611a0fe1b35bf  
• 2de1184557622fa34417d2356388e776246e748a              
• 9a9aff027ad62323bdcca34f898dbcefe4df629b   
• 9cd48fddd536f2c2e28f622170e2527a9ca84ee0 
• 2c99022b592d2d8e4a905bacd25ce7e1ec3ed3bb              
• 69e0fcdc24fe17e41ebaee71f09d390b45f9e5c2  
• a2ea8a9abf749e3968a317b5dc5b95c88edc5b6f 
• 0a8e432f63cc8955e2725684602714ab710e8b0a               
• 309accad8345f92eb19bd257cfc7dd8d0c00b910 
• 89937567c575d38778b08289876b938a0e766f14              
• 19bd1573564fe2c73e08dce4c4ad08b2161e0556               
• a1d0c96db49f1eef7fd71cbed13f2fb6d521ab6a  
• 936748b63b1c9775cef17c8cdbba9f45ceba3389 
• 46d54a3de7e139b191b999118972ea394c48a97f               
• 4786066b29066986b35db0bfce1f58ec8051ba6b               
• b1d84d33d37526c042f5d241b94f8b77e1aa8b98               
• 7bb500f0c17014dd0d5e7179c52134b849982465              
• d1d3219006fdfd4654c52e84051fb2551de2373a                
• 0ffa5e49f17bc722c37a08041e6d80ee073d0d8f  
• dceecf543f15344b875418ad086d9706bfef1447  
• fa177d9bd5334d8e4d981a5a9ab09b41141e9dcc               
• 07aab5761d56159622970a0213038a62d53743c2              
• d83dde58a510bdd3243038b1f1873e7da3114bcf               
• a0da713ee28a17371691aaa901149745f965eb90               
• c5b644a33fb027900111d5d4912e28b7dcce88ff 
• db5437fec902cc1bcbad4bef4d055651e9926a89                 
• ff42d2819c1a73e0032df6c430f0c67582adba74   
• 3b2d858c682342127769202a806e8ab7f1e43173               
• c08bf3ae164e8e9d1d9f51dffcbe7039dce4c643  
• f41d1966285667e74a419e404f43c7693f3b0383                 
• 3ccb546f12d9ed6ad7736c581e7a00c86592e5dd               
• 904556fed1aa00250eee1a69d68f78c4ce66a8dc 
• bd9dec094c349a5b7d9690ab1e58877a9f001acf                
• 87e6ab15f16b1ed3db9cc63d738bf9d0b739a220                
• f8fc307f7d53b2991dea3805f1eebf3417a7082b  
• ece4c9fc15acd96909deab3ff207359037012fd5   
• 7fdfec70c8daae07a29a2c9077062e6636029806 
• 17d548b2dca6625271649dc93293fdf998813b21                
• 6a7ac7ebab65c7d8394d187aafb5d8b3f7994d21                
• fee78ccadb727797ddf51d76ff43bf459bfa8e89   
• 4bf58addcd01ab6eebca355a5dda819d78631b44               
• fd9f0e40bf4f7f975385f58d120d07cdd91df330    
• a76c21af39b0cc3f7557de645e4aaeccaf244c1e   
• 7ff9511ebe6f95fc73bc0fa94458f18ee0fb395d    
• 97c5003e5eacbc8f5258b88493f148f148305df5  
• f92edf91407ab2c22f2246a028e81cf1c99ce89e   
• d932f7d11f8681a635e70849b9c8181406675930               
• b0b13e9445b94ed2b69448044fbfd569589f8586                
• b194b26de8c1f31b0c075ceb0ab1e80d9c110efc 
• df26b43439c02b8cd4bff78b0ea01035df221f68   
• 60bd17aa94531b89f80d7158458494b279be62b4              
• 33abee43acfe25b295a4b2accfaf33e2aaf2b879   
• c87a8492de90a415d1fbe32becbafef5d5d8eabb
• 68b731fcb6d1a88adf30af079bea8efdb0c2ee6e 
• cf7c5d32d73fb90475e58597044e7f20f77728af   
• 1ab85632e63a1e4944128619a9dafb6405558863               
• 1f0d3c8e373c529a0c3e0172f5f0fb37e1cdd290   
• f69050c8bdcbb1b5f16ca069e231b66d52c0a652                 
• 6ff079e886cbc6be0f745b044ee324120de3dab2 
• 8c90aa0a521992d57035f00d3fbdfd0fa7067574  
• 5e32a5a5ca270f69a3bf4e7dd3889b0d10d90ec2                
• 0db3626a8800d421c8b16298916a7655a73460de             
• 01751ea8ac4963e40c42acfa465936cbe3eed6c2 
• 6b3032252b1f883cbe817fd846181f596260935b                
• 741168d01e7ea8a2079ee108c32893da7662bb63              
• b9cc2f913c4d2d9a602f2c05594af0148ab1fb03   
• c7e6f7131eb71d2f0e7120b11abfaa3a50e2b19e 
• ae0fdf2ab73e06c0cd04cf79b9c5a9283815bacb  
• 67f2cd4f1a60e1b940494812cdf38cd7c0290050  
• aca99cfd074ed79c13f6349bd016d5b65e73c324                 
• ba7142e016d0e5920249f2e6d0f92c4fadfc7244  
• 98a907b18095672f92407d92bfd600d9a0037f93                
• afaffef28d8b6983ada574a4319d16c688c2cb38   
• 98e2afed718649a38d9daf10ac792415081191fe 
• bc32e66a6346907f4417dc4a81d569368594f4ae                
• 8d569ac92f1ca8437397765d351302c75c20525b                
• 5c32a4e4c3d69a95e00a981a67f5ae36c7aae05e                
• d807a2c01686132f5f1c359c30c9c5a7ab4d31c2  
• 155db617c6cf661507c24df2d248645427de492c                
• 7e6870a527ffb5235ee2b4235cd8e74eb0f69d0e                
• 2f0ea0a0a2ffe204ec78a0bdf1f5dee372ec4d42  
• 041d9b089a9c8408c99073c9953ab59bd3447878              
• 1edada1bb87b35458d7e059b5ca78c70cd64fd3f                
• 4033c313497c898001a9f06a35318bb8ed621dfb                
• 683a3e0d464c7dcbe5f959f8fd82d738f4039b38  
• 97d30b904e7b521a9b7a629fdd1e0ae8a5bf8238               
• 53525da91e87326cea124955cbc075f8e8f3276b                
• 73ac8512035536ffa2531ee9580ef21085511dc5 
• 28b8843e3e2a385da312fd937752cd5b529f9483
• cd59c14d46daaf874dc720be140129d94ee68e39

 C2 Servers: IP Addresses

• 10[.]100[.]0[.]34 (Internal IPs)
• 10[.]100[.]27[.]4 (Internal IPs)
• 172[.]111[.]192[.]233
• 59[.]188[.]234[.]233
• 64[.]27[.]4[.]157
• 64[.]27[.]4[.]19
• 67[.]210[.]114[.]99

 C2 Servers: Domains

• back[.]satunusa[.]org
• baomoi[.]vnptnet[.]info
• bbw[.]fushing[.]org
• bca[.]zdungk[.]com
• bkav[.]manlish[.]net
• bkav[.]welikejack[.]com
• bkavonline[.]vnptnet[.]info
• bush2015[.]net
• cl[.]weststations[.]com
• cloundvietnam[.]com
• cpt[.]vnptnet[.]inf
• dns[.]lioncity[.]top
• dns[.]satunusa[.]org
• dns[.]zdungk[.]com
• ds[.]vdcvn[.]com
• ds[.]xrayccc[.]top
• facebookmap[.]top
• fbcl2[.]adsoft[.]name
• fbcl2[.]softad[.]net
• flower2[.]yyppmm[.]com
• game[.]vietnamflash[.]com
• hello[.]bluesky1234[.]com
• ipad[.]vnptnet[.]info
• ks[.]manlish[.]net
• lepad[.]fushing[.]org
• lllyyy[.]adsoft[.]name
• lucky[.]manlish[.]net
• ma550[.]adsoft[.]name
• ma550[.]softad[.]net
• mail[.]comnnet[.]net
• mail[.]tiger1234[.]com
• mail[.]vdcvn[.]com
• mass[.]longvn[.]net
• mcafee[.]bluesky1234[.]com
• media[.]vietnamflash[.]com
• mil[.]dungk[.]com
• mil[.]zdungk[.]com
• mmchj2[.]telorg[.]net
• mmslsh[.]tiger1234[.]com
• mobile[.]vdcvn[.]com
• moit[.]longvn[.]net
• movie[.]vdcvn[.]com
• news[.]philstar2[.]com
• news[.]welikejack[.]com
• npt[.]vnptnet[.]info
• ns[.]fushing[.]org
• nycl[.]neverdropd[.]com
• phcl[.]followag[.]org
• phcl[.]neverdropd[.]com
• pna[.]adsoft[.]name
• pnavy3[.]neverdropd[.]com
• sky[.]bush2015[.]net
• sky[.]vietnamflash[.]com
• tcv[.]tiger1234[.]com
• telecom[.]longvn[.]net
• telecom[.]manlish[.]net
• th-y3[.]adsoft[.]name
• th550[.]adsoft[.]name
• th550[.]softad[.]net
• three[.]welikejack[.]com
• thy3[.]softad[.]net
• vdcvn[.]com
• video[.]philstar2[.]com
• viet[.]vnptnet[.]info
• viet[.]zdungk[.]com
• vietnam[.]vnptnet[.]info
• vietnamflash[.]com
• vnet[.]fushing[.]org
• vnn[.]bush2015[.]net
• vnn[.]phung123[.]com
• webmail[.]philstar2[.]com
• www[.]bush2015[.]net
• yok[.]fushing[.]org
• yote[.]dellyou[.]com
• zing[.]vietnamflash[.]com
• zingme[.]dungk[.]com
• zingme[.]longvn[.]net
• zw[.]dinhk[.]net
• zw[.]phung123[.]com

Modified Heyoka C2 Server: IP Address

• 45[.]77[.]11[.]148

Modified Heyoka C2 Server: Domain

• cvb[.]hotcup[.]pw
• dns[.]foodforthought1[.]com
• test[.]facebookmap[.]top