G1007 Aoqin Dragon
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.1
Item | Value |
---|---|
ID | G1007 |
Associated Names | |
Version | 1.0 |
Created | 14 July 2022 |
Last Modified | 24 October 2022 |
Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
enterprise | T1587 | Develop Capabilities | - |
enterprise | T1587.001 | Malware | Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.1 |
enterprise | T1203 | Exploitation for Client Execution | Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.1 |
enterprise | T1083 | File and Directory Discovery | Aoqin Dragon has run scripts to identify file formats including Microsoft Word.1 |
enterprise | T1570 | Lateral Tool Transfer | Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.1 |
enterprise | T1036 | Masquerading | - |
enterprise | T1036.005 | Match Legitimate Name or Location | Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.1 |
enterprise | T1027 | Obfuscated Files or Information | - |
enterprise | T1027.002 | Software Packing | Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.1 |
enterprise | T1588 | Obtain Capabilities | - |
enterprise | T1588.002 | Tool | Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.1 |
enterprise | T1091 | Replication Through Removable Media | Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.1 |
enterprise | T1204 | User Execution | - |
enterprise | T1204.002 | Malicious File | Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.1 |