Chinese language Hackers Focusing on On-line Casinos with GamePlayerFramework Malware | Tech Ify

A code-named group of superior persistent threats (APTs) of Chinese language origin DiceyF has been linked to a sequence of assaults focusing on on-line casinos in Southeast Asia for years.

Russian cybersecurity agency Kaspersky mentioned the exercise aligns with one other set of intrusions attributed to Earth Berberoka (also referred to as GamblingPuppet) and DRBControl, citing similarities in techniques and focusing on, in addition to the abuse of safe messaging purchasers.

“Presumably we’ve a combination of espionage and [intellectual property] theft, however the true motivations stay a thriller,” researchers Kurt Baumgartner and Georgy Kucherin mentioned in a white paper printed this week.

The place to begin of the investigation was in November 2021 when Kaspersky mentioned it detected a number of PlugX loaders and different payloads that have been deployed by an worker monitoring service and a safety bundle deployment service.

The preliminary an infection technique, distribution of the framework by way of safety resolution packages, allowed the menace actor to “carry out cyberespionage actions with a sure degree of stealth,” the corporate claimed.

Later, the identical safety bundle deployment service is alleged to have been used to ship what is known as GamePlayerFramework, a C# variant of a C++-based malware generally known as PuppetLoader.

“This ‘framework’ contains downloaders, launchers, and a set of plugins that present distant entry and steal keystrokes and clipboard knowledge,” the researchers defined.

Indications are that DiceyF’s exercise is a follow-up marketing campaign to Earth Berberoka with a redesigned malware toolkit, even because the framework is maintained by two separate branches named Tifa and Yuna, which include totally different modules of various ranges. of sophistication.

Whereas the Tifa department accommodates a downloader and a core part, Yuna is extra advanced when it comes to performance, incorporating a downloader, a set of plugins, and at the least 12 PuppetLoader modules. That mentioned, each branches are believed to be actively and incrementally up to date.

Whatever the variant employed, the GamePlayerFramework, as soon as launched, connects to a command and management (C2) and transmits details about the compromised host and the contents of the clipboard, after which the C2 responds with one in every of 15 instructions that enable let the malware take management of the machine.

This additionally contains launching a plugin on the sufferer’s system that may be downloaded from the C2 server when the framework is instantiated or retrieved by way of the “InstallPlugin” command despatched by the server.

These plugins, in flip, enable stealing cookies from Google Chrome and Mozilla Firefox browsers, capturing keystrokes and clipboard knowledge, establishing digital desktop periods, and even remotely connecting to the machine by way of SSH.

Kaspersky additionally identified the usage of a malicious utility that mimics different software program referred to as Mango Worker Account Information Synchronizer, a messaging utility used within the focused entities, to put the GamePlayerFramework inside the community.

“There are a lot of fascinating options of DiceyF campaigns and TTPs,” the researchers mentioned. “The group modifies its code base over time and builds performance into the code all through its intrusions.”

“To make sure that victims weren’t suspicious of the disguised implants, the attackers obtained details about the focused organizations (equivalent to the ground the place the group’s IT division is situated) and included it inside graphical home windows exhibited to the victims. victims”.