Chinese Hackers Target Gambling Sites in Southeast Asia
Experts from Trend Micro and Talent-Jump have reported that since the summer of 2019, Chinese hackers have been attacking gambling and online betting websites in Southeast Asia. There have also been unconfirmed reports of similar breaches in countries across Europe and the Middle East.
According to researchers, the group behind these incidents is known as DRBControl. The hackers steal company databases and source code, but not money, indicating that the main goal of these attacks appears to be espionage.
DRBControl’s tactics are very similar to the tools and methods used by other Chinese state-sponsored hacker groups, such as Winnti and Emissary Panda. However, it is currently unclear whether DRBControl is acting independently or under government orders. Last year, FireEye experts noted that some Chinese groups sometimes carry out attacks for personal gain during their free time.
Attack Methods
Overall, DRBControl’s attacks are neither particularly complex nor unique. They typically begin with phishing emails sent to potential victims. Through these messages, employees of targeted companies receive malicious documents, which then install backdoor trojans. This malware relies on Dropbox as a command-and-control server, as well as for storing payloads and stolen data. This is where the group’s name comes from—DRBControl (DRopBox Control).
Once the backdoors are installed on the networks of affected companies, they are used to download additional hacker tools and malware. These are then used for lateral movement within the network, searching for valuable information to steal. Some of the tools used by DRBControl include:
- Server scanning tools for NETBIOS
- Brute-force attack tools
- Tools to bypass Windows UAC
- Privilege escalation tools on infected hosts
- Password theft tools from infected hosts
- Clipboard data theft tools
- Tools for downloading and executing malicious code on infected hosts
- Tools to obtain the public IP address of a workstation
- Tools for creating tunnels to external networks
Scale of the Attacks
Researchers from Talent-Jump observed the group’s activities closely from July to September 2019. During this period, the hackers managed to infect about 200 computers using a single Dropbox account, and another 80 machines were compromised through a different Dropbox account.
Since DRBControl’s attacks are ongoing, experts from both companies have included indicators of compromise in their reports, which administrators are advised to review.