Asian-facing online gambling operators are targeted by a group of alleged Chinese hackers whose aims seem to go beyond mere theft of money.
A recent TrendMicro study focuses on a shadowy group called DRBControl (short for Dropbox Control), an “advanced persistent threat actor” engaged in a “cyberespionage campaign targeted at gambling operations” in Southeast Asia.
TrendMicro’s investigation started in mid-2019, after a company carrying out an incident response operation on a Philippine-based company approached TrendMicro. The support team of the organisation was targeted via a spear-phishing email that recipients were told to open a. DOCX file to view a screenshot that allegedly revealed some mistake that the customer had.
When that file was opened by a support team member, the document contained an executable file that installed malware through two previously undisclosed backdoors. Later versions of this malware included a workaround that used the hosting service for Dropbox files as its source of command and control.
When infected, a user’s computer would be plundered for passwords, files, source codes and other proprietary technical information, thus downloading additional malware for future operations. TrendMicro said the targeted data indicated “the campaign is used for cyberespionage or gaining competitive intelligence.”
The targeted gambling sites had all been located in Southeast Asia. TrendMicro said it had been made aware that Europe and the Middle East regions are also being targeted,” but the company could not confirm these claims.
TrendMicro’s research indicated links to a group of Chinese-led hackers identified as Winnti, who have attacked gambling sites for a decade or so. Since 2009, Kapersky Lab researchers have found evidence of Winnti operations aimed at video game operators to snatch in-game virtual currencies that were later sold for real cash.
The online gambling sector is no stranger to digital rogue actors, including government-sponsored attempts by North Korea’s dictatorship, which allegedly relies on a network of other jurisdictions-based online gambling sites to generate badly needed hard currency. Often blamed for cryptocurrency thefts were North Korean hackers, and the notorious (if only partially successful) attempt to steal $1b from the Bangladesh government.