Since the summer of 2019, a nation-state threat actor that has links with Chinese hackers has been targeting gambling and betting companies located in Southeast Asia using previously undocumented backdoors, as well as publicly available and custom tools, according to a new Trend Micro research. While there’s been some reporting about Europe and the Middle East also being targeted the researchers could not confirm hacks.
The group which Trend Micro calls "DRBControl" appears to be interested in information theft seeing as exfiltrated data was mostly comprised of databases and source codes suggesting that the main goal of the operation is likely cyber-espionage, rather than monetary gain.
Trend Micro said the group's malware and operational tactics overlap with similar MO used by Winnti and Emissary Panda, two hacking groups that previously have been linked by researchers to Chinese government. Apart from new unknown backdoors (both of which use DLL side-loading through the Microsoft-signed MSMpEng.exe file), the threat actor uses known malware such as PlugX and the HyperBro backdoor, Trochilus RAT, as well as post-exploitation tools and Cobalt Strike software.
Interestingly, one of the deployed malware uses Dropbox file hosting and file sharing service as its command-and-control (C&C) channel and as a storage medium for second-stage payloads and exfiltrated data.
The attackers use spear-phishing emails with weaponized .DOCX files as a means to deliver malware. Trend Micro said DRBControl distributes three versions of the infecting documents.
The first version, when double-clicked by the user, embeds an executable file that is launched and acts as a dropper for the malware, a second version of the document embeds a .BAT file, which also acts as a downloader for the same malware, and the third version of the document uses PowerShell to download the malware.
“The threat actor described here shows solid and quick development capabilities regarding the custom malware used, which appears to be exclusive to them. The campaign exhibits that once an attacker gains a foothold in the targeted entity, the use of public tools can be enough to elevate privileges, perform lateral movements in the network, and exfiltrate data,” the researchers said.
More technical information about observed campaign and its relations to known APT groups provided in a Trend Micro whitepaper “Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations.”