20 February 2020

Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia


Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

Since the summer of 2019, a nation-state threat actor that has links with Chinese hackers has been targeting gambling and betting companies located in Southeast Asia using previously undocumented backdoors, as well as publicly available and custom tools, according to a new Trend Micro research. While there’s been some reporting about Europe and the Middle East also being targeted the researchers could not confirm hacks.

The group which Trend Micro calls "DRBControl" appears to be interested in information theft seeing as exfiltrated data was mostly comprised of databases and source codes suggesting that the main goal of the operation is likely cyber-espionage, rather than monetary gain.

Trend Micro said the group's malware and operational tactics overlap with similar MO used by Winnti and Emissary Panda, two hacking groups that previously have been linked by researchers to Chinese government. Apart from new unknown backdoors (both of which use DLL side-loading through the Microsoft-signed MSMpEng.exe file), the threat actor uses known malware such as PlugX and the HyperBro backdoor, Trochilus RAT, as well as post-exploitation tools and Cobalt Strike software.

Interestingly, one of the deployed malware uses Dropbox file hosting and file sharing service as its command-and-control (C&C) channel and as a storage medium for second-stage payloads and exfiltrated data.

The attackers use spear-phishing emails with weaponized .DOCX files as a means to deliver malware. Trend Micro said DRBControl distributes three versions of the infecting documents.

The first version, when double-clicked by the user, embeds an executable file that is launched and acts as a dropper for the malware, a second version of the document embeds a .BAT file, which also acts as a downloader for the same malware, and the third version of the document uses PowerShell to download the malware.

“The threat actor described here shows solid and quick development capabilities regarding the custom malware used, which appears to be exclusive to them. The campaign exhibits that once an attacker gains a foothold in the targeted entity, the use of public tools can be enough to elevate privileges, perform lateral movements in the network, and exfiltrate data,” the researchers said.

More technical information about observed campaign and its relations to known APT groups provided in a Trend Micro whitepaper “Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations.”

Back to the list

Latest Posts

North Korea’s Lazarus adds new LightlessCan backdoor to its arsenal

North Korea’s Lazarus adds new LightlessCan backdoor to its arsenal

The hackers posed as a recruiter from Meta to gain access to the network of an aerospace firm.
2 October 2023
Critical Exim flaws put millions of servers at risk of hacker attacks

Critical Exim flaws put millions of servers at risk of hacker attacks

The vulnerabilities could allow attackers to breach the servers and gain access to sensitive data.
2 October 2023
Cyber Security Week in Review: September 29, 2023

Cyber Security Week in Review: September 29, 2023

The world in brief: the MOVEit protocol maker releases fixes for new critical bugs, Cisco warns of a zero-day in IOS and IOS XE software, and more.
29 September 2023