Researchers on Thursday reported that a Chinese-linked threat actor — Aogin Dragon — has operated espionage activities since 2013, targeting government, education and telecommunications organizations in Southeast Asia and Australia.
In a blog post, SentinelLabs researchers said Aogin Dragon seeks initial access through document exploits and the use of fake removable drives.
The researchers said other techniques the attacker uses includes the following: DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
The Chinese government has always done remarkable work in highly specific targeting designed to infect their espionage targets, said John Bambenek, principal threat hunter at Netenrich.
“They spend real effort to do the research to make sure they can discretely infect organizations and operate for extended periods of time without being discovered,” Bambenek explained.
Mike Parkin, senior technical engineer at Vulcan Cyber, said properly identifying and tracking state and state-sponsored threat actors always presents challenges. Parkin said they often appear to be criminal threats, using the same tools and techniques, and often going after the same targets.
“Conclusively linking them to a given state often requires a deeper analysis and understanding of their motives,” Parkin said. “SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it is 'to be sure' when identifying a new threat actor.”
Jake Williams, executive director of cyber threat intelligence at SCYTHE, added that it’s not surprising that threat actors continue to rely on removable drives for spreading malware. Williams said DLL hijacking has also historically been used extensively by Chinese nation-state threat actors.
“DLL hijacking is a technique that many endpoint protection platforms fail to identify,” Williams said. “Most detections of DLL hijacking are only identified through detection engineering, highlighting the need for continuous security control validation.”