Hacks confirmed in gambling and betting websites in Southeast Asia, rumors of other hacks in European countries and the Middle East.
Since the summer of 2019, a group of professional Chinese hackers has been targeting and hacking into companies that run online gambling and online betting websites.
According to reports released this week by cyber-security firm’s Talent-Jump and Trend Micro, hacks have been officially confirmed at gambling firms located in Southeast Asia. At the same time, unconfirmed rumors of additional hacks have also come from Europe and the Middle East.
Talent-Jump and Trend Micro say hackers appear to have stolen company databases and source code, but not money, suggesting the attacks were espionage-focused, rather than cyber-crime motivated.
Both security firms said the attacks had been carried out by a group they called DRBControl.
Trend Micro said the group’s malware and operational techniques overlap with similar tools and tactics used by Winnti and Emissary Panda, two hacking groups that have conducted attacks within the last ten years in the interests of the Chinese gov.
Currently, it’s unclear if DRBControl is undertaking attacks on behalf of Beijing. Most likely not. In August 2019, cyber-security company FireEye reported that some Chinese state-sponsored hacking groups are now undertaking cyber-attacks on the side, in their free time, for their gains and interests, separate from their regular state-sponsored operations.
DRBControl modus operandi
The recent DRBControl attacks are neither complex or unique with regard to the tactics being used to infect victims and steal their data.
Attacks focus on a spear-phishing link sent to targets. Workers who fall for the email messages and open the files they received are infected with backdoor Trojans.
These backdoor Trojans are somewhat not the same as other backdoors because they heavily rely on the Dropbox file hosting and sharing services. They use as a command-and-control (C&C) service and as a storage medium for second-stage payloads and stolen data — hence the group’s name of DRopBox Control.
Most of the time, the Chinese hackers will use the backdoors to download other hacking tools and malware that they can use to move laterally through a company’s network until they find databases and source code repositories from where they can steal data.
Tools DRBControl has been seen downloading and using include:
- Tools to scan for NETBIOS servers
- Tools to carry out brute-force attacks
- Tools to perform Windows UAC bypasses
- Tools to elevate an attacker’s privileges on an infected host
- Tools to dump passwords from infected hosts
- Tools to steal clipboard data
- Tools to load and execute malicious code on infected hosts
- Tools to retrieve a workstation’s public IP address
- Tools to create network traffic tunnels to outside networks
DRBControl has infected hundreds of computers
Talent-Jump says they can keep a close eye on the group’s operations between July and September 2019.
Through the respective interval, the hackers have infected and kept track of around 200 computers through one Dropbox account, and another 80 through a second.
These are not the first attacks on online betting and gambling sites. In 2018, cyber-security ESET reported that North Korean state-backed hackers had hit at least one online casino in Central America from where they’re believed to have attempted to steal funds.