TrendMicro security researchers have unearthed a cyber espionage operation carried out by an APT (Advanced Persistent Threat) group tracked as DRBControl that utilised a new family of malware. The invaders aimed at stealing databases and source code from betting companies in Southeast Asia, and likely in the Middle East and Europe.
As per the Trend Micro analysis, “The threat actor is currently targeting users in Southeast Asia, particularly gambling and betting companies. Europe and the Middle East were also reported to us as being targeted, but we could not confirm this at the time of writing. Exfiltrated data was mostly comprised of databases and source codes, which led us to believe that the group’s main purpose is cyberespionage.”
The hackers used two previously unknown backdoors, identified malware families such as PlugX and the HyperBro backdoor, along with custom post-exploitation tools. One of the backdoors exploits the file hosting service Dropbox as command-and-control (C&C). The new backdoor was discovered when the group used both standard and custom malware exploitation tools to attack a company in the Philippines.
The group was also employing modified versions of common malware such as Trochilus RAT, PlugX RAT, keyloggers using the Microsoft Foundation Class (MFC) library, the custom in-memory HyperBro backdoor, and a Cobalt Strike sample.
The attackers’ arsenal includes post-exploitation tools such as tools for bypassing UAC (User Account Control), password dumpers (Quarks PwDump, modified Mimikatz, NetPwdDump), and code loaders.
Experts have recognised two main backdoors (Type 1 and Type 2) used in attacks that were previously unknown in the threat environment.
Another backdoor complements Type 1 – it executes malware downloaded from Dropbox and loaded in memory. Type 1 backdoor runs by utilizing DLL side-loading.
The malware was employed for stealing PDF and Office documents, browser cookies, key logs, SQL dumps, and a KeePass manager database.
Both backdoors implement a UAC system bypass – they also implement a keylogging feature.
A first variant of the Type 1 backdoor was found to be released in late May 2019, while version 9.0 dates October 2019.
The Type 2 backdoor was initially released in July 2019 – it was used in a spear-phishing attack distributing a weaponised MS Word document.
These circumstances suggest that DRBControl has been active at least since 2017, but it is speculated it has had a longer run.
For now, it is not possible to accurately associate the DRBControl group with a specific threat actor; it is not completely clear if the hackers belong to a new APT group or are a subgroup of a known Chinese APT group.
Source – Igaming world