Aoqin Dragon
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.[1] |
| Enterprise | T1203 | 客户端执行漏洞利用 |
Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.[1] |
|
| Enterprise | T1587 | .001 | 开发能力: Malware |
Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Aoqin Dragon has run scripts to identify file formats including Microsoft Word.[1] |
|
| Enterprise | T1570 | 横向工具传输 |
Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.[1] |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.[1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.[1] |
| Enterprise | T1588 | .002 | 获取能力: Tool |
Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.[1] |
| Enterprise | T1091 | 通过可移动媒体复制 |
Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.[1] |
|