|
Aoqin Dragon, like the mythical character it’s named after, has recently been unearthed after nearly a decade of flying under the cybersecurity community’s radar. Now believed to have been active since 2013, the advanced persistent threat (APT) group has targeted various organizations in the government, education, and telecommunications sectors.
SentinelLabs unveiled indicators of compromise (IoCs)—six IP addresses, 31 domains, and 155 malware hashes—related to the threat on 10 June 2022. We used the 37 web properties identified as IoCs as jump-off points and discovered other findings, including:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Several organizations across the three sectors mentioned above throughout Southeast Asia have succumbed to Aoqin Dragon, which used old vulnerabilities, malicious executable files, and most recently, infected removable drives to get to their targets’ networks.
Apart from uncovering other suspicious domains and IP addresses that could have ties to the APT group, our deep dive also established connections between the publicized IoCs and additional artifacts.
We began our investigation by subjecting the domain IoCs to a bulk WHOIS lookup, which revealed that a majority of their owners claimed Japan as their registrant country. The rest were distributed across four countries and one didn’t indicate its origin.
We also ran the IP address IoCs through a bulk IP geolocation lookup, which told us most of them originated from the U.S., Hong Kong, and Japan. One of the IP addresses—45[.]77[.]11[.]148—is currently tagged “malicious” by various malware engines based on a Threat Intelligence Platform (TIP) check.
In an effort to uncover possibly hidden connections, we looked at the domain IoCs’ historical WHOIS records and uncovered 31 registrant email addresses. Using these as reverse WHOIS search terms led to the discovery of 22 additional domains.
While only one of the web properties turned out to be malicious, mapping the domains, IP addresses, and registrant email addresses identified as IoCs and potentially connected artifacts with one another showed interesting results, such as:
These relationships and others that have yet to be uncovered could be part of a single infrastructure—that which belongs or is closely connected to the Aoqin Dragon APT group.
Using domain, IP, DNS, and threat intelligence tools allowed us to unravel important findings that could lead law enforcement agents one step closer to catching the threat actors behind Aoqin Dragon. Users, meanwhile, should remain wary of accessing identified domain IoCs—fushing[.]org, weststations[.]com, adsoft[.]name, phung123[.]com, and dinhk[.]net—as these continue to host live content based on our screenshot lookup results.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byCSC