- A large-scale hacking campaign targeting betting and gambling websites has been uncovered.
- These Chinese state-supported actors were using two previously undisclosed backdoors, as well as a large set of known tools.
- Their goal was stealing the source code of online casinos, as well as exfiltrating data from databases.
A new Chinese APT group dubbed “DRBControl” has been involved in the targeting of online gambling and betting platforms based in Europe, the Middle East, and Southeast Asia, since May 2019. The campaign was noticed by Talent-Jump Technologies last year, and they reached out to Trend Micro to help them investigate. The latter found out that the actors were actively exfiltrating data from compromised databases and other information repositories. Therefore, they deduced that DRBControl’s purpose was cyber-espionage and not to steal money from the users of these online betting platforms.
Interestingly, the group was using two unknown backdoors, a collection of known but upgraded malware strains, and a rich set of post-exploitation tools. That said, their skills are above average, and so they deployed a coveted arsenal in their attacks. Moreover, they chose to host one of their backdoors on Dropbox and have their heavily-obfuscated first-stage malware tool to fetch it from there. Trend Micro has found signs that link some of the tools with Winnti and Emissary Panda. So in conjunction with the apparent goal of the actors, they are confident that DRBControl is a Chinese state-supported actor. In fact, they may even be a sub-team of the aforementioned groups, although this cannot be determined with certainty yet.
The two backdoors are of the “DLL side-loading” type and activate through the Microsoft-signed ‘MSMpEng.exe’ file. These reach the target via spear-phishing and through infected .docx attachments. They are responsible for the fetching of the Dropbox-hosted malware, establishing communication with the C2 domain, and planting a persistence mechanism. From there, known but customized malware strains like the PlugX RAT, the Trochilus RAT, and the HyperBro are downloaded. In some cases, the researchers noticed the use of Cobalt Strike, too. At the same time, the post-exploitation toolset includes clipboard stealers, public IP address retrievers, NBTScan tools, brute-forcing tools, password dumpers, UAC bypassing tools, code loaders, lateral movement tools, and elevation of privilege vulnerability tools.
One question that arises is, why are Chinese actors interested in online casinos? As noticed by researchers, these hackers were engaged in the stealing of source code and any information related to these platforms’ technical framework. That said, they were going after details that would help them set up solid betting platforms locally. Moreover, it is often the case that these online casinos belong to larger and more crucial entities in the targeted countries, and thus share a common infrastructure. This means that, through lateral movement and deeper network infiltration, hackers could potentially find their way inside these too.