Monday, January 20, 2025
HomeCyber AttackChinese-linked APT Hackers Spying Orgs Over 10 Years Using DNS Tunneling To...

Chinese-linked APT Hackers Spying Orgs Over 10 Years Using DNS Tunneling To Evade Detection

Published on

SIEM as a Service

Follow Us on Google News

Security researchers at SentinelLabs recently discovered that a Chinese-speaking APT adversary has been actively operating all of its operations since 2013 and has been executing all of its attacks since that time.

The hacking group is known as the “Aoqin Dragon” is focused on cyber-espionage, and their target sectors include:- 

  • Government
  • Education
  • Telecommunication organizations (Located in Singapore, Hong Kong, Vietnam, Cambodia, and Australia.)

Throughout the years, the techniques of threat actors have improved and evolved. However, some concepts and tactics remain the same.

Intrusion techniques

It has been revealed that in the time since Aoqin Dragon was first spotted, there were three distinct infection chains that it implemented. The oldest and most widespread of these attacks, used between 2012 and 2015, exploited vulnerabilities in Microsoft Office files, and the flaws exploited are known:-

  1. CVE-2012-0158 
  2. CVE-2010-3333

As a result of this attack tactic, the security firm, FireEye was able to detect a spear-phishing campaign, coordinated by the Chinese-sponsored, “Naikon Group.” 

While this Chinese-sponsored threat group targeted a government agency in the Asia-Pacific region (APAC) and the US think tank in 2014.

Malware executables are masked with fake anti-virus icons to make it appear as if they were legit anti-virus products, tricking the user into running them, and then executing a malicious dropper on the target system.

The use of removable disk shortcut files has become increasingly important for Aoqin Dragon since its initial release in 2018. When clicked, it executes a DLL hijacking and loads an encrypted payload to create backdoors, which enables the backdoor to become operational.

In this particular case, the “Evernote Tray Application” is the name that the malware runs under and was executed as soon as the system got activated. Its payload is copied onto other devices on the network of the target as soon as the loader detects removable devices. As a result, they are also infected by the payload as well.

As noted earlier, the malware is displayed with the name tag of “Evernote Tray Application” and then executed when the system gets started. The loader copies the payload on removable devices in order to infect other devices through the target’s network if it detects removable devices.

Tools and commands used

To make it more difficult for the group’s data thefts and detect their identity, they use the following tools when copying files from compromised devices:-

  • Themida wrapping
  • Heyoka exfiltration tool
  • Exfil tool

It has been reported that the malware developers at Aoqin Dragon have revised Heyoka in a way that authorizes it to be customized to sustain the following commands that we have mentioned below:-

  • open a shell
  • get host drive information
  • search file function
  • input data in an exit file
  • create a file
  • create a process
  • get all process information in this host
  • kill process
  • create a folder
  • delete file or folder

Cyberespionage group Aoqin Dragon has been active for nearly a decade now and has become a formidable force in global cybercrime. 

In order to provide insight into the evolution of this activity cluster, SentinelLabs will continue to track it.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Multiple Azure DevOps Vulnerabilities Let Inject CRLF Queries & Rebind DNS

Researchers uncovered several significant vulnerabilities within Azure DevOps, specifically focusing on potential Server-Side Request...

Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail

Socket’s threat research team has identified a series of malicious npm packages specifically designed...

Hackers Weaponize MSI Packages & PNG Files to Deliver Multi-stage Malware

Researchers have reported a series of sophisticated cyber attacks aimed at organizations in Chinese-speaking...

New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices

Large-scale DDoS attack commands sent from an IoT botnet's C&C server targeting Japan and...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

Hackers Deploy Web Shell To Abuse IIS Worker And Exfiltrate Data

An attacker exploited a vulnerability in the batchupload.aspx and email_settings.aspx pages on the target...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...