Campaigns
Aoqin Dragon

Aoqin Dragon

UNC94Mongall
Aoqin Dragon is a known threat actor that has been active since 2013 and primarily targets government, education, and telecommunication organizations in Southeast Asia and Australia.

Indicators of Compromise

dns.zdungk.com
mmslsh.tiger1234.com
vnn.phung123.com
yote.dellyou.com
mobile.vdcvn.com
mmchj2.telorg.net
movie.vdcvn.com
phcl.followag.org
news.philstar2.com
game.vietnamflash.com
phcl.neverdropd.com
mail.vdcvn.com
test.facebookmap.top
back.satunusa.org
ma550.softad.net
vietnam.vnptnet.info
telecom.longvn.net
fbcl2.adsoft.name
zingme.longvn.net
zingme.dungk.com
mail.comnnet.net
viet.vnptnet.info
ds.vdcvn.com
zw.phung123.com
th550.adsoft.name
ipad.vnptnet.info
ks.manlish.net
video.philstar2.com
mil.dungk.com
mass.longvn.net
bkav.welikejack.com
moit.longvn.net
npt.vnptnet.info
vietnamflash.com
baomoi.vnptnet.info
webmail.philstar2.com
zw.dinhk.net
cloundvietnam.com
nycl.neverdropd.com
ma550.adsoft.name
ds.xrayccc.top
telecom.manlish.net
lllyyy.adsoft.name
sky.vietnamflash.com
dns.lioncity.top
mail.tiger1234.com
sky.bush2015.net
th550.softad.net
vdcvn.com
cvb.hotcup.pw
lepad.fushing.org
thy3.softad.net
ns.fushing.org
zing.vietnamflash.com
bca.zdungk.com
bush2015.net
facebookmap.top
viet.zdungk.com
pnavy3.neverdropd.com
bbw.fushing.org
three.welikejack.com
bkavonline.vnptnet.info
news.welikejack.com
media.vietnamflash.com
tcv.tiger1234.com
mil.zdungk.com
flower2.yyppmm.com
bkav.manlish.net
pna.adsoft.name
th-y3.adsoft.name
fbcl2.softad.net
vnn.bush2015.net
dns.foodforthought1.com
vnet.fushing.org
lucky.manlish.net
mcafee.bluesky1234.com
hello.bluesky1234.com
www.bush2015.net
cl.weststations.com
yok.fushing.org
dns.satunusa.org

APT Groups1

Aoqin DragonChina
Aoqin DragonUNC94AoqinDragon

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DomainIDNameUse
EnterpriseT1587.001Develop CapabilitiesMalware

Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.[1]

EnterpriseT1203Exploitation for Client Execution

Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.[1]

EnterpriseT1083File and Directory Discovery

Aoqin Dragon has run scripts to identify file formats including Microsoft Word.[1]

EnterpriseT1570Lateral Tool Transfer

Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.[1]

EnterpriseT1036.005MasqueradingMatch Legitimate Name or Location

Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.[1]

EnterpriseT1027.002Obfuscated Files or InformationSoftware Packing

Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.[1]

EnterpriseT1588.002Obtain CapabilitiesTool

Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.[1]

EnterpriseT1091Replication Through Removable Media

Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.[1]

EnterpriseT1204.002User ExecutionMalicious File

Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.[1]

IDNameReferencesTechniques
S1027Heyoka Backdoor[1]Application Layer ProtocolDNSBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderDeobfuscate/Decode Files or InformationFile and Directory DiscoveryIndicator RemovalFile DeletionMasqueradingMasquerade Task or ServiceObfuscated Files or InformationPeripheral Device DiscoveryProcess DiscoveryProcess InjectionDynamic-link Library InjectionProtocol TunnelingSystem Binary Proxy ExecutionRundll32System Information DiscoverySystem Service DiscoveryUser ExecutionMalicious File
S1026Mongall[1]Application Layer ProtocolWeb ProtocolsBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderData EncodingStandard EncodingData from Local SystemDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyExfiltration Over C2 ChannelIngress Tool TransferObfuscated Files or InformationSoftware PackingPeripheral Device DiscoveryProcess InjectionDynamic-link Library InjectionSystem Binary Proxy ExecutionRundll32System Information DiscoveryUser ExecutionMalicious File

Observed Countries5

AU (733)
HK (659)
KH (112)
SG (754)
VN (459)