A sophisticated persistent menace (APT) group of Chinese language origin codenamed DiceyF has been linked to a string of assaults geared toward on-line casinos in Southeast Asia for years.
Russian cybersecurity firm Kaspersky stated the exercise aligns with one other set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and focusing on similarities in addition to the abuse of safe messaging purchasers.
“Probably now we have a mixture of espionage and [intellectual property] theft, however the true motivations stay a thriller,” researchers Kurt Baumgartner and Georgy Kucherin stated in a technical write-up revealed this week.
The place to begin of the investigation was in November 2021 when Kaspersky stated it detected a number of PlugX loaders and different payloads that have been deployed by way of an worker monitoring service and a safety package deal deployment service.
The preliminary an infection methodology – the distribution of the framework by safety resolution packages – afforded the menace actor “to carry out cyberespionage actions with some degree of stealth,” the corporate said.
Subsequently, the identical safety package deal deployment service is alleged to have been employed to ship what’s known as the GamePlayerFramework, a C# variant of a C++-based malware often called PuppetLoader.
“This ‘framework’ contains downloaders, launchers, and a set of plugins that present distant entry and steal keystrokes and clipboard information,” the researchers defined.
Indications are that the DiceyF exercise is a follow-on marketing campaign to Earth Berberoka with a retooled malware toolset, even because the framework is maintained by two separate branches dubbed Tifa and Yuna, which include completely different modules of various ranges of sophistication.
Whereas the Tifa department comprises a downloader and a core part, Yuna is extra advanced by way of performance, incorporating a downloader, a set of plugins, and at the least 12 PuppetLoader modules. That stated, each branches are believed to be actively and incrementally up to date.
Whatever the variant employed, the GamePlayerFramework, as soon as launched, connects to a command-and-control (C2) and transmits details about the compromised host and the clipboard contents, after which the C2 responds with one in all 15 instructions that permit the malware to grab management of the machine.
This additionally contains launching a plugin on the sufferer system that may both be downloaded from the C2 server when the framework is instantiated or retrieved utilizing the “InstallPlugin” command despatched by the server.
These plugins, in flip, make it potential to steal cookies from Google Chrome and Mozilla Firefox browsers, seize keystroke and clipboard information, arrange digital desktop classes, and even remotely connect with the machine over SSH.
Kaspersky additionally pointed to the usage of a malicious app that mimics one other software program known as Mango Worker Account Information Synchronizer, a messenger app used on the focused entities, to drop the GamePlayerFramework inside the community.
“There are various attention-grabbing traits of DiceyF campaigns and TTPs,” the researchers stated. “The group modifies their codebase over time, and develops performance within the code all through their intrusions.”
“To guarantee that victims didn’t develop into suspicious of the disguised implants, attackers obtained details about focused organizations (reminiscent of the ground the place the group’s IT division is situated) and included it inside graphic home windows exhibited to victims.”
