Skip to content

G1007 Aoqin Dragon

Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.1

Item Value
ID G1007
Associated Names
Version 1.0
Created 14 July 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.1
enterprise T1203 Exploitation for Client Execution Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.1
enterprise T1083 File and Directory Discovery Aoqin Dragon has run scripts to identify file formats including Microsoft Word.1
enterprise T1570 Lateral Tool Transfer Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.1
enterprise T1091 Replication Through Removable Media Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.1

Software

ID Name References Techniques
S1027 Heyoka Backdoor 1 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Deobfuscate/Decode Files or Information File and Directory Discovery File Deletion:Indicator Removal Masquerade Task or Service:Masquerading Obfuscated Files or Information Peripheral Device Discovery Process Discovery Dynamic-link Library Injection:Process Injection Protocol Tunneling Rundll32:System Binary Proxy Execution System Information Discovery System Service Discovery Malicious File:User Execution
S1026 Mongall 1 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Ingress Tool Transfer Software Packing:Obfuscated Files or Information Peripheral Device Discovery Dynamic-link Library Injection:Process Injection Rundll32:System Binary Proxy Execution System Information Discovery Malicious File:User Execution

References