Security researchers at SentinelOne have observed a Chinese espionage group switching from the use of malicious documents to employing a fake antivirus. The group, known as Aogin Dragon, has been active since 2013 and primarily focuses on targets in Australia and Southeast Asia. The group has recently been observed by security researchers using a fake removable drive to lure victims into unknowingly installing malware on their systems. Aogin Dragon reportedly heavily relies on USB shortcut technique to infect additional targets. The group drops backdoors on compromised systems to enable access. The backdoors frequently used are called Mongall and Heyoka.
Aogin Dragon has been increasingly interested in spying on organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam, says SentinelOne. The group also leverages vulnerabilities after patches have been released, finding devices that have not yet implemented them. The attackers occasionally use pornograhic themes to lure victims into opening malicious documents. In addition, SentinelOne reports that the group also employs executable files that feature modified file icons to masquerade as Windows folders or antivirus applications, but are instead malicious.
Read More: Chinese Cyberspy Group ‘Aoqin Dragon’ Targeting Southeast Asia, Australia Since 2013