Fraud Management & Cybercrime
APT Group Steals Source Code and Data, Not Money, Researchers Say
A newly identified hacking group has been targeting gambling companies in Asia, the Middle East and Europe, using backdoors to steal source code and other data, according to new research from security firm Trend Micro.
See Also: Three Proven Methods for Implementing a Continual Threat Hunting Program
Trend Micro researchers call this newly discovered advanced persistent threat group “DRBControl.” The analysts note that the hackers’ techniques and some of their tools have not been seen in other campaigns.
The APT group was first discovered in the summer of 2019 by the consultancy Talent-Jump Technologies, which was conducting an incident response operation for a client located in the Philippines when it came across a never-before-seen backdoor connected to these hackers, according to the Trend Micro report. Talent-Jump later gave the information for Trend Micro, which conducted an analysis.
During their analysis, the Trend Micro researchers found that the DRBControl group targeted specific gambling companies and developed specialized backdoors to steal data as well as source code, according to the report.
“The exfiltrated data was mostly composed of databases and source codes, which leads us to believe that the campaign is used for cyberespionage or gaining competitive intelligence,” according to the Trend Micro report. “Some of the backdoors were unknown to us, which could suggest that it is a previously unreported group.”
Researchers at Trend Micro and Talent-Jump analysts believe that this campaign is continuing, according to the report.
Starts With Phishing
The attacks associated with DRBControl start with a spear-phishing email that targets individuals or departments within a company, according to the report. In several cases, it appears the hacking group targeted companies’ customer support team.
The phishing emails that Trend Micro examined came with attached Microsoft Word documents that also contained screenshots meant to show a problem to customer support. Once the attachments were opened, executable files began installing malicious software in the background, the report notes.
In another case, it appears the DRBControl used a PowerShell tool, hidden in an attached Word document, to download the malware, the researchers say.
Once the malware is delivered, it creates a backdoor, written in the C++ programming language, which had not been previously seen by Trend Micro researchers, according to the report. This backdoor can then read, write and execute files, capture screenshots, deploy a keylogger and delete registry keys, the researchers say.
The Trend Micro researchers also noticed that there were different versions of this backdoor, including one that used Dropbox, a cloud-based file and hosting service, to connect to the command-and-control server. The DRBControl hackers also used Dropbox files to store any stolen data as well as information about the devices targeted in the attack, the report finds.
The APT group also appears to use some malicious tools that have been previously ised by other groups, according to the report. This includes Cobalt Strike, a legitimate penetration testing tool that’s been repurposed by bad actors, as well as PlugX and HyperBro – backdoors used in other malicious campaigns, mainly in parts of Asia.
Other common malicious software used by the DRBControl group include brute-force tools, code loaders, clipboard stealers and password dumpers, the report adds.
Ties to Other Groups?
The researchers at Trend Micro note that some of the malicious tools used by DRBControl are the same as those deployed by other advanced persistent threat groups that have been linked to China’s government. But they acknowledge that there’s not enough evidence to establish a definitive link between these groups.
For example, a China-linked hacking group known as Emissary Panda, or APT27, had previously used the HyperBro backdoor in its campaigns, and this malware “appears to be exclusive to the threat actor,” according to the Trend Micro analysis.
Since 2010, Emissary Panda has been targeting organizations in aerospace, government, defense and technology, according to the Trend Micro report. In April 2019, Palo Alto Networks’ Unit 42 reported that the group had started installing webshells on SharePoint servers to compromise government organizations in the Middle East.
The Trend Micro researchers also found that DRBControl used some of the same domains and strains of malware as another group called Winnti, which has been tied to Chinese intelligence by security firms, such as Kaspersky.