DRBControl Espionage Operation Hits Gambling, Betting Companies

Antus67

Level 9
Thread author
Verified
Well-known
Nov 3, 2019
413
An advanced threat actor has been targeting gambling and betting companies in multiple regions of the globe with malware that links to two Chinese hacker groups.

Named "DRBControl" by security researchers, the group uses malware not publicly reported before. The mission appears to be cyberespionage, stealing databases and source code from the targets being part of the operation.

The actor seems to focus on companies in Southeast Asia but unconfirmed reports say that it also attacks targets in Europe and the Middle East.

Researchers at cybersecurity company Trend Micro started painting a larger picture of DRBControl's activities after analyzing a backdoor used by the group against a company in the Philippines.

The group combines in its attacks both common and custom malware and exploitation tools. From the discovered arsenal, stood out two main backdoors (Type 1 and Type 2) with rich capabilities that were previously unknown to the researchers.

Attackers employ DLL side-loading to execute Type 1 backdoor and the binary used for the job is MsMpEng.exe, the "Antimalware Service Executable" process used by Windows Defender for real-time monitoring of the system for potential threats.

An interesting detail in a recent version of this backdoor is that it relies on Dropbox service to deliver various payloads and store information stolen from compromised hosts as well as commands, results, and heartbeats.

Data collected from infected hosts counts documents (Office and PDF), key logs, SQL dumps, browser cookies, a KeePass manager database.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top