DRBControl attacks
According to IT security company Trend Micro, hackers with Chinese links are using backdoor trojans to run espionage-focused attacks on gambling companies in Southeast Asia. Unconfirmed hacks are reported to have also come from Europe and the Middle East, reports ZDNet.
the group has infected and kept track of around 200 computers through a Dropbox account
Talent-Jump Technologies first unearthed the activity last year and contacted Trend Micro while conducting an incident report for a firm based in the Philippines. According to the two security companies, the hacks are being carried out by a group they have called DRBControl.
Between July and September 2019, Talent-Jump states that the group has infected and kept track of around 200 computers through a Dropbox account and another 80 in a second account.
Links to Chinese hacking groups
It did note, though, that the connection with APT 27 was “very loose.”
However, rather than stealing money from the gambling companies, it appears that those involved are taking code and data, suggesting that the hacks are espionage-focused.
The researchers said: “The exfiltrated data was mostly comprised of databases and source codes, which leads us to believe that the campaign is used for cyberespionage or gaining competitive intelligence.”
Trend Micro data also suggests that DRBControl could have ties to Winnti and Emissary Panda, two hacking groups that have undertaken hacks in the past 10 years aimed at the gambling industry.
Yet, regarding Winnti, it seems that there are three different overlaps. For example, DRBControl domain names are linked with ones previously used by Winnti, whereas in other examples, commands issued on DRBControl-compromised machines appear to have links with Winnti.
Tactics used
According to reports, hackers are using “straightforward and efficient” methods involving spearphishing email links.
Upon opening the Microsoft Word documents attached in the emails, which are embedded with an executable file or a .bat file, computers are infected with backdoor trojans.
hackers are using “straightforward and efficient” methods involving spearphishing email links
In one instance, DRBControl is thought to have contacted a company suggesting that the customer support team needed to address an error.
Another method Trend Micro identified uses PowerShell, an administration tool, to download the malware.
This isn’t the first instance of hacking groups targeting gambling companies. In 2018, it was reported that hackers in North Korea, known as the Lazarus Group, had targeted at least one online casino in Central America.