A complicated persistent risk (APT) group of Chinese language origin codenamed DiceyF has been linked to a string of assaults aimed toward on-line casinos in Southeast Asia for years.
Russian cybersecurity firm Kaspersky stated the exercise aligns with one other set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and focusing on similarities in addition to the abuse of safe messaging purchasers.
“Probably we have now a mixture of espionage and [intellectual property] theft, however the true motivations stay a thriller,” researchers Kurt Baumgartner and Georgy Kucherin stated in a technical write-up printed this week.
The place to begin of the investigation was in November 2021 when Kaspersky stated it detected a number of PlugX loaders and different payloads that have been deployed by way of an worker monitoring service and a safety bundle deployment service.
The preliminary an infection technique – the distribution of the framework by way of safety answer packages – afforded the risk actor “to carry out cyberespionage actions with some stage of stealth,” the corporate acknowledged.
Subsequently, the identical safety bundle deployment service is claimed to have been employed to ship what’s known as the GamePlayerFramework, a C# variant of a C++-based malware referred to as PuppetLoader.
“This ‘framework’ contains downloaders, launchers, and a set of plugins that present distant entry and steal keystrokes and clipboard knowledge,” the researchers defined.
Indications are that the DiceyF exercise is a follow-on marketing campaign to Earth Berberoka with a retooled malware toolset, even because the framework is maintained by way of two separate branches dubbed Tifa and Yuna, which include totally different modules of various ranges of sophistication.
Whereas the Tifa department incorporates a downloader and a core part, Yuna is extra complicated by way of performance, incorporating a downloader, a set of plugins, and at the very least 12 PuppetLoader modules. That stated, each branches are believed to be actively and incrementally up to date.
Whatever the variant employed, the GamePlayerFramework, as soon as launched, connects to a command-and-control (C2) and transmits details about the compromised host and the clipboard contents, after which the C2 responds with one in every of 15 instructions that enable the malware to grab management of the machine.
This additionally contains launching a plugin on the sufferer system that may both be downloaded from the C2 server when the framework is instantiated or retrieved utilizing the “InstallPlugin” command despatched by the server.
These plugins, in flip, make it potential to steal cookies from Google Chrome and Mozilla Firefox browsers, seize keystroke and clipboard knowledge, arrange digital desktop periods, and even remotely connect with the machine over SSH.
Kaspersky additionally pointed to using a malicious app that mimics one other software program known as Mango Worker Account Information Synchronizer, a messenger app used on the focused entities, to drop the GamePlayerFramework inside the community.
“There are various attention-grabbing traits of DiceyF campaigns and TTPs,” the researchers stated. “The group modifies their codebase over time, and develops performance within the code all through their intrusions.”
“To be sure that victims didn’t grow to be suspicious of the disguised implants, attackers obtained details about focused organizations (comparable to the ground the place the group’s IT division is positioned) and included it inside graphic home windows exhibited to victims.”