Companies Safety Talent-Jump and Trend Micro revealed in their reports that for about six months (from summer 2019), a group of Chinese hackers carry out attacks on companies that are behind sites gambling and betting.
According to the companies, there are confirmed hacks in gaming companies located in Southeast Asia. There are also rumors of attacks on companies in Europe and the Middle East. The latter is not certain.
The data so far show that Chinese hackers have stolen the base data and the source code of the companies rather than money. This means that there is no financial incentive. Obviously, the target of the attacks is espionage .
The attacks were carried out by a team that the researchers called DRBControl .
Trend Micro said the malware and tactics used by the hacking team are similar to the tools and tactics of Winnti and Emissary Panda. These are two hacking teams that have carried out numerous attacks on the Chinese government over the past decade.
We don’t know yet if DRBControl is working for Beijing. Probably not. In August 2019, FireEye revealed that some Chinese state groups were also attacking their own interests.
DRBControl’s recent attacks are neither complex nor unique to the tactics used by hackers.
The attacks begin with a spear-phishing email sent to the victims . The emails include a link . If the victims open the link, they will become infected with backdoor trojans.
Backdoor trojans are somewhat different from other backdoors because they rely heavily on the Dropbox hosting and sharing service , which is used as a command-and-control (C&C) service and as storage for secondary payloads and stolen data.
Usually, Chinese hackers use backdoors to download other hacking tools and malware, which they will use to find databases and source code of gambling sites.
Tools used by DRBControl:
- Tools for scanning NETBIOS servers
- Tools for brute-force attacks
- Windows UAC Bypass Tools
- Tools to gain more privileges in the infected system
- Tools for acquiring passwords
- Tools for stealing data clipboard
- Tools for loading and executing malicious code
- Tools to retrieve the public IP address of a workstation
- Tools for network communication with external networks
DRBCONTROL has infected many companies that deal with gambling sites
Talent-Jump has been able to closely monitor the activities of Chinese hackers from July to September 2019.
During this time, hackers managed to infect about 200 gaming companies’ PCs through one Dropbox account and another 80 through a second account.
The group’s attacks are continuing, and both security companies have published some tips that can help organizations detect suspicious activity or malware from DRBControl.
These are not the first attacks on gaming sites. In 2018, cybersecurity company ESET reported that North Korean government hacking teams had attacked an online casino in Central America for stealing money.