An Advanced Persistent Threat (APT) group that has source from China codenamed DiceyF is involved in a series of attacks targeting online casinos in Southeast Asia over the years.
Company network security Russia’s Kaspersky said the activity was consistent with a series of other intrusions carried out by Earth Berberoka (aka GamblingPuppet) and DRBControl, citing similarities in tactics and targeting as well as overuse of the malware. Secure messaging app.
“Maybe we have a combination of spies and [intellectual property] Researchers Kurt Baumgartner and Georgy Kucherin said in a technical paper published this week.
The starting point of the investigation was in November 2021 when Kaspersky said it detected various PlugX loaders and other payloads deployed through the security package deployment and employee monitoring service.
The original infection method – distributing the framework through security solution packages – allowed the threat actor to “perform cyber espionage activities with some degree of stealth”, the company claims.
Later, the same security package implementation service was said to have been used to provide the so-called GamePlayerFramework, a C# variant of malware based on C++ called PuppetLoader.
This ‘framework’ includes a downloader, launcher, and a set of plugins that provide remote access and steal keystrokes and clipboard data, the researchers explain.
Signs suggest that the DiceyF operation is a follow-up to Earth Berberoka’s campaign with a retooled malware toolkit, even if the framework is maintained through two separate forks named Tifa and Yuna, comes with different modules with different levels of complexity.
While the Tifa branch contains the downloader and core components, Yuna is more functionally complex, consisting of a downloader, a set of plugins, and at least 12 PuppetLoader modules. That said, both branches are said to be under active and incremental updates.
Regardless of the variant used, the GamePlayerFramework, once launched, connects to command and control (C2) and transmits information about the compromised server and clipboard contents, then C2 responds with one of 15 commands that allows malware to take control of the machine.
This also includes launching a plugin on the victim system that can be downloaded from the C2 server when the framework is initialized or retrieved with the “InstallPlugin” command sent by the server.
In turn, these plugins can steal cookies from Google Chrome and Mozilla Firefox browsers, log keystrokes and clipboard data, establish virtual desktop sessions, and even remotely connect to machines via SSH. .
Kaspersky also pointed out the use of a malicious application that mimics another software called Mango Employee Account Data Synchronizer, a messaging application used for targeted audiences, to remove GamePlayerFramework in the network.
“There are many interesting features of the DiceyF and TTP campaigns,” the researchers said. “The team modifies their codebase over time and develops functionality in the code throughout their forays.”
“To ensure that victims do not become suspicious of camouflage implantation, the attackers obtained information about the targeted organizations (such as the tier where the organization’s IT department is located) and it goes inside the graphical window displayed to the victim.”