A group of Chinese hackers were targeting and hacking companies that run online gambling and online betting sites since last year.
The cyber-security firms Talent-Jump and Trend Micro published a report according to which the hacks have been officially confirmed at gambling companies located in Southeast Asia and there are unconfirmed rumors of hacks from Europe and the Middle East.
The security firms state that hackers have stolen company databases and source code, and not money which suggests that the attacks were espionage-focused, rather than cybercrime motivated. It is found that the attacks were done by a group called DRBControl.
Trend Micro said the group’s malware and operational methods overlap with similar tools and techniques used by Winnti and Emissary Panda which are the two hacking groups that conducted state sponsored attacks for the Chinese government over the past decade.
It is not clear whether DRBControl is performing the attacks on behalf of Beijing. In August 2019, it was reported by the cyber-security firm FireEye that some Chinese state-sponsored hacking groups are conducting cyber-attacks on the side during their free time, for their own profits and interest apart from the normal state-sponsored operations.
The recent DRBControl attacks are not complex or unique when it comes to the tactics, they use to infect victims and steal their data.
The attacks begin with a spear-phishing link sent to targets. Those employees who fall for the emails open the documents they received are get infected with backdoor trojans.
These backdoor trojans are not like the other backdoors because they mainly depend on the Dropbox file hosting and file sharing service, which they use as a command-and-control (C&C) service and as a storage medium for second-stage payloads and stolen data. Hence the group is called DRopBox Control.
The Chinese hackers make use of backdoors to download other hacking tools and malware which they use to move laterally through a company’s network until they find databases and source code repositories from where they can steal data.
The tools which DRBControl were downloading and using include:
- Tools to scan for NETBIOS servers
- Tools to carry out brute-force attacks
- Tools to perform Windows UAC bypasses
- Tools to elevate an attacker’s privileges on an infected host
- Tools to dump passwords from infected hosts
- Tools to steal clipboard data
- Tools to load and execute malicious code on infected hosts
- Tools to retrieve a workstation’s public IP address
- Tools to create network traffic tunnels to outside networks
Talent-Jump reported that the hackers have infected and kept track of around 200 computers through one Dropbox account, and another 80 through a second account between July and September 2019.
The attacks are still continuing and the two security firms have published indicators of compromise (IOCs) in their reports that organizations can use to detect suspicious activity or DRBControl’s malware.