Chinese-Linked Hackers Targeting Gambling Companies

  • Hackers are thought to have links with APT 27, Winnti, and Emissary Panda
  • Spearphising emails are infected with backdoor trojans
  • Criminals are stealing data and code from gambling companies rather than money
hackers hack into corporate servers
A Chinese-linked hacking group called DRBControl is believed to be targeting gambling companies based in Southeast Asia. [Image:]

DRBControl attacks

According to IT security company Trend Micro, hackers with Chinese links are using backdoor trojans to run espionage-focused attacks on gambling companies in Southeast Asia. Unconfirmed hacks are reported to have also come from Europe and the Middle East, reports ZDNet.

the group has infected and kept track of around 200 computers through a Dropbox account

Talent-Jump Technologies first unearthed the activity last year and contacted Trend Micro while conducting an incident report for a firm based in the Philippines. According to the two security companies, the hacks are being carried out by a group they have called DRBControl.

Between July and September 2019, Talent-Jump states that the group has infected and kept track of around 200 computers through a Dropbox account and another 80 in a second account.

Links to Chinese hacking groups

Based on its techniques, the researchers point out that it could have connections with Chinese-linked APT 27. This group is known for targeting aerospace, government, defense, technology, and energy industries.

It did note, though, that the connection with APT 27 was “very loose.”

However, rather than stealing money from the gambling companies, it appears that those involved are taking code and data, suggesting that the hacks are espionage-focused.

The researchers said: “The exfiltrated data was mostly comprised of databases and source codes, which leads us to believe that the campaign is used for cyberespionage or gaining competitive intelligence.”

Trend Micro data also suggests that DRBControl could have ties to Winnti and Emissary Panda, two hacking groups that have undertaken hacks in the past 10 years aimed at the gambling industry.

Yet, regarding Winnti, it seems that there are three different overlaps. For example, DRBControl domain names are linked with ones previously used by Winnti, whereas in other examples, commands issued on DRBControl-compromised machines appear to have links with Winnti.

Tactics used

According to reports, hackers are using “straightforward and efficient” methods involving spearphishing email links.

Upon opening the Microsoft Word documents attached in the emails, which are embedded with an executable file or a .bat file, computers are infected with backdoor trojans.

hackers are using “straightforward and efficient” methods involving spearphishing email links

In one instance, DRBControl is thought to have contacted a company suggesting that the customer support team needed to address an error.

Another method Trend Micro identified uses PowerShell, an administration tool, to download the malware.

This isn’t the first instance of hacking groups targeting gambling companies. In 2018, it was reported that hackers in North Korea, known as the Lazarus Group, had targeted at least one online casino in Central America.