20 February 2020

Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia


Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

Since the summer of 2019, a nation-state threat actor that has links with Chinese hackers has been targeting gambling and betting companies located in Southeast Asia using previously undocumented backdoors, as well as publicly available and custom tools, according to a new Trend Micro research. While there’s been some reporting about Europe and the Middle East also being targeted the researchers could not confirm hacks.

The group which Trend Micro calls "DRBControl" appears to be interested in information theft seeing as exfiltrated data was mostly comprised of databases and source codes suggesting that the main goal of the operation is likely cyber-espionage, rather than monetary gain.

Trend Micro said the group's malware and operational tactics overlap with similar MO used by Winnti and Emissary Panda, two hacking groups that previously have been linked by researchers to Chinese government. Apart from new unknown backdoors (both of which use DLL side-loading through the Microsoft-signed MSMpEng.exe file), the threat actor uses known malware such as PlugX and the HyperBro backdoor, Trochilus RAT, as well as post-exploitation tools and Cobalt Strike software.

Interestingly, one of the deployed malware uses Dropbox file hosting and file sharing service as its command-and-control (C&C) channel and as a storage medium for second-stage payloads and exfiltrated data.

The attackers use spear-phishing emails with weaponized .DOCX files as a means to deliver malware. Trend Micro said DRBControl distributes three versions of the infecting documents.

The first version, when double-clicked by the user, embeds an executable file that is launched and acts as a dropper for the malware, a second version of the document embeds a .BAT file, which also acts as a downloader for the same malware, and the third version of the document uses PowerShell to download the malware.

“The threat actor described here shows solid and quick development capabilities regarding the custom malware used, which appears to be exclusive to them. The campaign exhibits that once an attacker gains a foothold in the targeted entity, the use of public tools can be enough to elevate privileges, perform lateral movements in the network, and exfiltrate data,” the researchers said.

More technical information about observed campaign and its relations to known APT groups provided in a Trend Micro whitepaper “Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations.”

Back to the list

Latest Posts

Tornado Cash users’ funds at risk due to malicious code

Tornado Cash users’ funds at risk due to malicious code

The exploit primarily targeted users accessing Tornado Cash via IPFS gateways, like ipfs.io and cf-ipfs.com.
27 February 2024
Ransomware attack on Optum subsidiary disrupts healthcare services across the US

Ransomware attack on Optum subsidiary disrupts healthcare services across the US

The attack compromised Change Healthcare's IT systems, leading to widespread disruptions in pharmacy services across the US.
27 February 2024
New IDAT Loader variant uses steganography to deliver Remcos RAT

New IDAT Loader variant uses steganography to deliver Remcos RAT

While focusing their strategic efforts on entities in Ukraine, UAC-0184 seemingly aimed to broaden their scope to include further entities associated with Ukraine.
27 February 2024