RBControl Hack Targets Asian Gambling & Betting Companies
New research uncovers a major persistent cyber-attack against gambling & betting companies with malware developed by a group known as DRBControl. The professional hackers which are suspected of being of Chinese origin, launched a series of cyber-attacks against gambling companies across Southeast Asia. There is also reports suggesting the attacks have impacted companies in the Middle East and Europe.
This information has been made publicly available, through research papers conducted by Trend Micro and Talent Jump. Whilst the scope of the research is primarily technical, it does suggest the attackers are of Chinese origin. Whether or not these are Beijing backed state-actors is another question entirely, but several hacker groups in the region affiliated with espionage campaigns for the Chinese state have been known to pursue “cyber-attacks on the side” as a supplement to their own gains.
One thing that is certain, whoever the threat actor behind DRBControl, they were capable of quick and consummate development regarding the bespoke range of malware used in the attack. The evidence gathered so far from the research suggests that the exploit made use of several post-exploit tools that are publicly available. Once the attackers were able to breach an online gambling & betting company’s network, by using post-exploit public tools, they were easily able to escalate privileges, move laterally through the network and ultimately exfiltrate sensitive information and data.
DRBControl Modus Operandi
In the modern business climate, cybersecurity has become mission-critical. Advanced malicious operate with increasing sophistication, covertness and brazenness across cyberspace; targeting companies, institutions and governments across the world for numerous purposes. Espionage, ransom, exploitation, blackmail are just some typical reasons groups like the one behind DRBControl operate. In this case, the gambling sector of Southeast Asia appears to have been hit in an act of espionage, no financial damage was dealt, and the hack was primarily focused with stealing source-code and the contents of the many databases.
The attacks recently dubbed DRBControl (DRopBoxContro) utilized a spear-phishing targeting campaign to initially infiltrate their target networks. Employees at the gambling companies were subjected to spear-phishing emails with documents containing the trojan that would infect a target machine with the back-door for an attacker to exploit. Spear-phishing is considered an ultra-targeted form of phishing, where the attacker may study their victim and create a convincing email that will be highly personal to the victim, in order to encourage them to open the infected attachment. This is in contrast to phishing emails which are sent out in a blanket fashion to large groups.
An interesting detail of this backdoor is the use of Dropbox, and its exploitation of the Dropbox API. This enabled attackers to use Dropbox like a command-and-control (C&C) service, and a depository for the second-stage payloads, stolen data and storage of commands. Once the backdoor has established itself in the target machine, Chinese hackers are able to execute commands on a target machine, and begin to raise privileges in order to gather more sensitive information and inflict more damage of the target.
The researchers who reverse-engineered the malware describes the possible motivation behind these sophisticated attacks against Chinese betting & gambling companies:
The exfiltrated data was mostly comprised of databases and source codes, which leads us to believe that the campaign is used for cyberespionage or gaining competitive intelligence.Trend Micro Research, Cyber Security Researcher
Assessing the Damage of DRBControl
The full extent of the DRBControl malware is not fully known, and we can only make speculations regarding the scale of the spread. What we do know is the attacks are still ongoing, highly targeted at betting companies in Southeast Asia, and have infected over 200 individuals through a single Dropbox account, with around 80 infections recorded in another Dropbox account associated with the hackers.
According to the researchers, the first impulse was to speculate that this attack came from a new group. This was due to the two types of backdoor analyzed did not contain infrastructure similarities to the exploits of other known threat actors. However, there are some possible candidates in this regard. The Winnti group often uses self-developed, technically proficient tools for their attack. There are a number of breadcrumbs in the current aftermath report that suggest they are linked to this particular malware.
Another group with links to this attack is Emissary Panda. This is a much looser link than the former, and is merely a match in the naming of one of the .dll files found in the malware. Whether or not this is pure-coincidence, or even a sophisticated method of diverting the attention from the true source of the hack is difficult to determine.
Having found relations to two prolific hacker groups, Winnti and Emissary Panda there are many further conclusions that can be drawn. The motivations behind the attack, which was exclusively targeted toward betting and gambling companies, only focused on the exfiltration of data and source-code. There appears to be some form of corporate espionage element to this, and in light of the Asian gambling market recently being drastically opened up through progressive loiberal politics, new companies are emerging trying to establish market superiority.
Some commentators argue these hacks were conducted on behalf of rival betting companies to try and seek a competitive advantage. Whilst this is plausible, it remains highly unlikely given the scrutiny and risk of exposure this method would evoke. Much more likely is a state-sponsored group, working on behalf of the Chinese government, carrying out espionage on its rapidly growing online gambling industry.