An advanced persistent threat (APT) actor dubbed “DRBControl” has been targeting gambling and betting companies located in Southeast Asia.
The campaign was initially detected by Talent-Jump Technologies Inc., who then contacted Trend Micro to help investigate.
Trend Micro discovered that the Chinese APT group were actively exfiltrating data from compromised databases and sources codes, “which led to us believe that the group’s main purpose is cyber-espionage,” said the cyber security company in a blog post.
DRBControl are targeting users in Southeast Asia, with focus on gambling and betting companies, however unconfirmed reports say that targets were also located in Europe and the Middle East.
To start their campaign, threat actors use spear phishing to fool recipients into opening a malicious Word document. Once the document is clicked a file delivering malware is embedded.
The campaign uses two unknown major backdoors, Type 1 and Type 2, in addition to a variety of post-exploitation tools and known malware strains. Both the backdoors use DLL side-loading through the Microsoft-signed MSMPEng.exe file, however one backdoor uses the file hosting service Dropbox as their C&C channel.
The second backdoor utilises a configuration file that has a C&C domain and connection ports, in addition to the directory and filename where the malware is copied.
Both backdoors are capable of reading, writing, renaming, copying, screenshot capture, deleting files, executing commands, deleting registry keys and browsing directories.
Known malware families used by the threat group include Cobalt Strike, Hyper Bro, MFC Keyloggers, PlugX Rat and Trochilus Rat.
The post-exploitation tools used by DRBControl include clipboard stealer, a public IP address retriever, a brute-force tool, a network traffic tunnel and password dumpers.
The techniques and malware used indicated that DRBControl is a new threat actor, to which Trend Micro found connections to Winnti and Emissary Panda. Links to the Winnti group range from mutexes to domain names and issued commands.
“Unlike largely indiscriminate attacks that focus on typical forms of cybercrime, targeted attacks differ in terms of how threat actors actively pursue and compromise specific targets (i.e., through spear phishing) for lateral movement in the network and sensitive information extraction.
“Understanding attack tools, techniques, and infrastructure, as well as the links to similar attack campaigns, provides the context necessary to assess potential impact and adopt defensive measures. Trend Micro users can thwart advanced persistent threats with security that provide actionable threat intelligence, network-wide visibility, and timely threat protection.”
The post #Privacy: Gambling, betting companies in Southeast Asia targeted by cyber espionage campaign appeared first on PrivSec Report.