Researchers disclosed that a Chinese-speaking malicious threat group called Aoqin Dragon had been actively operating a cyber espionage campaign for ten years. The decade-old espionage campaign has targeted the academic sector, governmental entities, and telecommunication firms in Australia and Southeast Asia.
In a recently published report, the Aoqin Dragon appears to have been seeking initial access through document exploits and the usage of phoney removable drives.
The researchers indicated that hackers’ other strategies include DLL hijacking, DNS tunnelling, and Themida-packed files. The adversaries used these techniques to avoid getting analysed by researchers in post-compromise detection.
China has always been an exemplar in executing particular espionage campaigns to impact its targets heavily. The individual added that the Chinese government had spent significant effort conducting research and ensuring that they could secretly infect organisations for an extended period without getting caught by security providers.
Aoqin Dragon has always been a similar criminal threat used by well-funded threat groups.
The researchers also added that they identified Aoqin Dragon as a common threat used by state-sponsored threat groups. However, the Chinese-speaking adversaries have been so sophisticated that they have used the same tools and techniques to their full potential.
Therefore, attributing them to a specific group required a more profound study and evaluation of motives. This late revelation as to what group is responsible for the decade-old attack implies that it is challenging for cybersecurity researchers to point fingers without having substantial evidence.
Moreover, it is not new that threat actors constantly rely on removable drives for propagating their malware since DLL hijacking has also historically been used religiously by Chinese state-sponsored threat actors.
The researchers said that DLL hijacking is a commonly used technique many endpoint protection services cannot fully comprehend and identify. Most detections of DLL compromise are only spotted via detection engineering, implying a need for continuous security control validation.