A Group of Suspected Chinese Hackers is targeting Asian-facing online gambling sites. Their objective appears to go beyond just stealing money.
A statement from TrendMicro turns a spotlight on a shadowy group that’s been dubbed Dropbox Control, an “advanced persistent threat actor” engaged in a “cyberespionage campaign targeting gambling operations” in Southeast Asia.
In mid-2019, TrendMicro began its investigations, after a firm contacted it while performing an incident response operation on a Philippines-based company. The support team of the company was targeted through a spear-phishing email that asked recipients to open a DOCX file to view a screenshot that supposedly displayed some error the customer was having. After opening the file, the document embedded an executable file that installed malware via two previously undisclosed backdoors. Later versions of this malware involved a backdoor that utilized the Dropbox file hosting service as its command-and-control channel.
The moment everything was compromised, the computer of the user would be pillaged for passwords, databases, source codes, and other proprietary technical information as it installs other malware for future operations. Southeast Asia gambling sites were the ones targetted. TrendMicro said it had been “made aware that Europe and the Middle East regions are also being targeted,” though it was unable to confirm these reports.
A study conducted by TrendMicro revealed some links to a Chinese-led group of hackers known as Winnti. The group has been targeting gambling sites for a decade or more. Another study conducted by Kaspersky Lab found evidence of Winnti operations targeting video game operators since 2009, to steal in-game virtual currencies that were later sold for real cash.
The online gambling industry is no stranger to rogue digital actors, including state-sponsored efforts by North Korea’s regime, which reportedly relies on a network of online gambling sites based in other jurisdictions to generate badly needed hard currency.