Researchers have discovered a stealthy espionage campaign by a most likely China-backed hacking group that has targeted government, education and telecommunication organizations since 2013.
The attackers used a range of techniques to infect targets with malware, such as via malicious Word documents, fake removable devices leading users to malicious folders, and fake antivirus vendor icons that led to executable files.
The group relied on users' familiarity with the Windows folder icons and the File Explorer interface to dupe victims into running malicious executables. Dubbed Aoqin Dragon by researchers at SentinelLabs, the group's prime targets were organizations in the Asia Pacific (APAC) region, including Australia, Cambodia, Hong Kong, Singapore, and Vietnam.
SentinelLabs researcher Joey Chen believes Aoqin Dragon is a small Chinese-speaking team that continues to operate today and has used two backdoors that it continues to improve with richer functionality and greater stealth.
According to Chen, the group between 2012 and 2015 relied heavily on the Office flaws CVE-2012-0158 and CVE-2010-3333 to compromise their targets with a backdoor for remote access.
These were both critical remote code execution flaws that abused Office support of Rich Text Format (.rtf) files. Microsoft released patches years before the group started using them in decoy documents.
Chen notes a dropper used by the group had "worm functionality", offered by a removable device, that allowed it to spread within the target's network and to deploy two backdoors.
Since 2018, the group has used a fake removable USB device shortcut as the initial point of infection. Clicking on the shortcut icon installs the malicious loader, which has two payloads. The first copies all malicious files to removable devices for spreading on a network, and the second is an encrypted backdoor that can create a remote shell, upload files to the victim's machine and download files to the attacker's command and control servers.
"Most important of all, this backdoor embedded three C2 servers for communication," Chen notes.