Aoqin Dragon, like the mythical character it’s named after, has recently been unearthed after nearly a decade of flying under the cybersecurity community’s radar. Now believed to have been active since 2013, the advanced persistent threat (APT) group has targeted various organizations in the government, education, and telecommunications sectors.

SentinelLabs unveiled indicators of compromise (IoCs)—six IP addresses, 31 domains, and 155 malware hashes—related to the threat on 10 June 2022. We used the 37 web properties identified as IoCs as jump-off points and discovered other findings, including:

• 11 additional IP addresses to which the domain IoCs resolved, one of which turned out to be malicious
• 31 unredacted registrant email addresses from the domain IoCs’ historical WHOIS records that revealed connections between a majority of the IoCs (IP addresses and domains alike)
• 22 additional domains that shared some of the domain IoCs’ IP hosts, hinting at their dedicated nature, and past and current registrant email addresses

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What Aoqin Dragon Has Been Up to Over the Yea

Several organizations across the three sectors mentioned above throughout Southeast Asia have succumbed to Aoqin Dragon, which used old vulnerabilities, malicious executable files, and most recently, infected removable drives to get to their targets’ networks.

Apart from uncovering other suspicious domains and IP addresses that could have ties to the APT group, our deep dive also established connections between the publicized IoCs and additional artifacts.

What Our Deep Dive Revealed

We began our investigation by subjecting the domain IoCs to a bulk WHOIS lookup, which revealed that a majority of their owners claimed Japan as their registrant country. The rest were distributed across four countries and one didn’t indicate its origin.

We also ran the IP address IoCs through a bulk IP geolocation lookup, which told us most of them originated from the U.S., Hong Kong, and Japan. One of the IP addresses—45[.]77[.]11[.]148—is currently tagged “malicious” by various malware engines based on a Threat Intelligence Platform (TIP) check.

In an effort to uncover possibly hidden connections, we looked at the domain IoCs’ historical WHOIS records and uncovered 31 registrant email addresses. Using these as reverse WHOIS search terms led to the discovery of 22 additional domains.

While only one of the web properties turned out to be malicious, mapping the domains, IP addresses, and registrant email addresses identified as IoCs and potentially connected artifacts with one another showed interesting results, such as:

• A total of 16 of the domains shared a single IPv4 address—153[.]148[.]120[.]217. They also shared a single IPv6 address—2001[:]240[:]2405[:]da28[:]4ff0[:]f8ed[:]45ed[:]8be6.
• Satunusa[.]org and xrayccc[.]top shared a registrant email address; so did yyppmm[.]com and telorg[.]net and vnptnet[.]info and manlish[.]net
• Bush2015[.]net and vdcvn[.]com shared the IP address 103[.]27[.]109[.]117. Cloundvietnam[.]com and vietnamflash[.]com shared the host 103[.]27[.]109[.]231. Bluesky1234[.]com resolved to 103[.]27[.]108[.]197. And these five domains shared a registrant email address.
• Finally, zdungk[.]com and phung123[.]com shared a common registrant email address.

These relationships and others that have yet to be uncovered could be part of a single infrastructure—that which belongs or is closely connected to the Aoqin Dragon APT group.

Using domain, IP, DNS, and threat intelligence tools allowed us to unravel important findings that could lead law enforcement agents one step closer to catching the threat actors behind Aoqin Dragon. Users, meanwhile, should remain wary of accessing identified domain IoCs—fushing[.]org, weststations[.]com, adsoft[.]name, phung123[.]com, and dinhk[.]net—as these continue to host live content based on our screenshot lookup results.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.