Chinese hackers linked to state-backed groups have been observed targeting gambling companies in southeast Asia as part of another cyber-espionage campaign.
A new report from Trend Micro and Talent-Jump Technologies, Uncovering DRBControl, details the work of the eponymous group, whose activities were uncovered in 2019.
Attackers first deploy a spear-phishing email containing .DOCX files, which trigger a backdoor malware download if opened.
“The campaign uses two previously unidentified backdoors. Known malware families such as PlugX and the HyperBro backdoor, as well as custom post-exploitation tools were also found in the attacker’s arsenal,” Trend Micro claimed.
“Interestingly, one of the backdoors used file hosting service Dropbox as its command-and-control (C&C) channel.”
The group also uses Dropbox to deliver different payloads to victims, and to store commands, post-exploitation tools and stolen files.
Post-exploitation tools used by the group range from password dumpers and clipboard stealers to UAC bypass tools, code loaders and brute forcing tools.
DRBControl also uses malware associated with the state-linked Winnti and Emissary Panda groups, although it’s unclear whether the campaign itself has links to Beijing.
“Links to the Winnti group range from mutexes to domain names and issued commands,” said Trend Micro. “The HyperBro backdoor, which appears to be exclusive to Emissary Panda, was also used in this campaign.”
The campaign is ongoing, with researchers believed to have detected hundreds of compromised endpoints in the region.
Given that the exfiltrated data so far has consisted of internal databases and source code, it is thought the hackers are focused on cyber-espionage and gaining competitive intelligence, according to the report.