20 February 2020

Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia


Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

Since the summer of 2019, a nation-state threat actor that has links with Chinese hackers has been targeting gambling and betting companies located in Southeast Asia using previously undocumented backdoors, as well as publicly available and custom tools, according to a new Trend Micro research. While there’s been some reporting about Europe and the Middle East also being targeted the researchers could not confirm hacks.

The group which Trend Micro calls "DRBControl" appears to be interested in information theft seeing as exfiltrated data was mostly comprised of databases and source codes suggesting that the main goal of the operation is likely cyber-espionage, rather than monetary gain.

Trend Micro said the group's malware and operational tactics overlap with similar MO used by Winnti and Emissary Panda, two hacking groups that previously have been linked by researchers to Chinese government. Apart from new unknown backdoors (both of which use DLL side-loading through the Microsoft-signed MSMpEng.exe file), the threat actor uses known malware such as PlugX and the HyperBro backdoor, Trochilus RAT, as well as post-exploitation tools and Cobalt Strike software.

Interestingly, one of the deployed malware uses Dropbox file hosting and file sharing service as its command-and-control (C&C) channel and as a storage medium for second-stage payloads and exfiltrated data.

The attackers use spear-phishing emails with weaponized .DOCX files as a means to deliver malware. Trend Micro said DRBControl distributes three versions of the infecting documents.

The first version, when double-clicked by the user, embeds an executable file that is launched and acts as a dropper for the malware, a second version of the document embeds a .BAT file, which also acts as a downloader for the same malware, and the third version of the document uses PowerShell to download the malware.

“The threat actor described here shows solid and quick development capabilities regarding the custom malware used, which appears to be exclusive to them. The campaign exhibits that once an attacker gains a foothold in the targeted entity, the use of public tools can be enough to elevate privileges, perform lateral movements in the network, and exfiltrate data,” the researchers said.

More technical information about observed campaign and its relations to known APT groups provided in a Trend Micro whitepaper “Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations.”

Back to the list

Latest Posts

Cyber Security Week in Review: June 14, 2024

Cyber Security Week in Review: June 14, 2024

In brief: Arm warns of actively exploited Mali GPU zero-day, Microsoft delays the release of its AI-powered Recall feature, and more.
14 June 2024
TellYouThePass ransomware weaponizes recently patched PHP flaw

TellYouThePass ransomware weaponizes recently patched PHP flaw

Imperva identified several campaigns exploiting the CVE-2024-4577 vulnerability.
13 June 2024
Ukraine neutralizes bot farms involved in hacking Ukrainian soldiers’ phones

Ukraine neutralizes bot farms involved in hacking Ukrainian soldiers’ phones

Additionally, the bot farm was used to spread Russian fake news.
13 June 2024