Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years

MITRE Techniques

• [T1566.001] Phishing – Spearphishing Attachment – “Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.” We’ll quote: “Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor.”
• [T1091] Replication Through Removable Media – “Copies malware to removable media and infects other machines.” We’ll quote: “The worm infection strategy using a removable device to carry the malware into the target’s host and facilitate a breach into the secure network environment.”
• [T1569] System Service – “Modified Heyoka will set itself as a service permission.” We’ll quote: “The malware sets the auto start function with the value ‘EverNoteTrayUService’.”
• [T1204] User Execution – “Lures victims to double-click on decoy files.” We’ll quote: “Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.”
• [T1547] Boot or Logon Autostart Execution – “Settings to automatically execute a program during logon.” We’ll quote: “The malware sets the auto start function with the value ‘EverNoteTrayUService’.”
• [T1055] Process Injection – “Mongall has injected an install module into a newly created process.” We’ll quote: “The loader injects the decrypted payload into memory and runs it persistently.”
• [T1055.001] DLL Injection – “Mongall has injected a DLL into rundll32.exe.” We’ll quote: “The payload … injects itself into rundll32’s memory.”
• [T1211] Exploitation for Defense Evasion – “Uses document exploits to bypass security features.” We’ll quote: “Uses document exploits to bypass security features.”
• [T1027] Obfuscated Files or Information – “Themida packer to pack the malwares.” We’ll quote: “using Themida packer to pack the malwares.”
• [T1574.001] DLL Search Order Hijacking – “DLL hijacking to load the malicious loader as explorer.exe.” We’ll quote: “use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe.”
• [T1033] System Owner/User Discovery – “Collecting user account and send back to C2.” We’ll quote: “Collecting user account and send back to C2.”
• [T1082] System Information Discovery – “Collecting OS system version and MAC address.” We’ll quote: “Collecting OS system version and MAC address.”
• [T1560] Archive Collected Data – “Dropper uses rar to archive specific file format.” We’ll quote: “rar.exe a -apC -r -ed -tk -m5 … C:*.doc C:*.DOCX”
• [T1071.001] Application Layer Protocol: Web Protocols – “Mongall communicates over HTTP.” We’ll quote: “Mongall communicates over HTTP.”
• [T1071.004] Application Layer Protocol: DNS – “Modified Heyoka has used DNS tunneling for C2 communications.” We’ll quote: “DNS tunneling for C2 communications.”
• [T1571] Non-Standard Port – “Mongall uses port 5050,1352, etc. to communicates with C2.” We’ll quote: “Mongall uses port 5050,1352, etc. to communicates with C2.”
• [T1132] Data Encoding – “Mongall uses base64 or RC4 to encode or encrypt data to make the content of command and control traffic more difficult to detect.” We’ll quote: “uses base64 or RC4 to encode or encrypt data to make the content of command and control traffic more difficult to detect.”