The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Aoqin Dragon: the pro-China APT under the radar since 2013. Sentinel Labs cybersecurity experts: The Group seeks initial access primarily via document lures with pornographic themes and makes heavy use of USB shortcut techniques to spread malware
Aoqin Dragon is a small pro-China APT that flew under the radar for a decade. It has been discovered by Sentinel Labs cybersecurity experts, who believe it is operating since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia. Aoqin Dragon seeks initial access primarily via document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks typically drop one of two malware: backdoors Mongall and a modified version of the open source Heyoka project. Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection. The targeting closely aligns with the Chinese government’s political interests. Researchers, considering this long-term effort and continuous targeted attacks for the past few years, assess the threat actor’s motives are cyber espionage-oriented.