A sophisticated persistent menace (APT) group of Chinese language origin codenamed DiceyF has been linked to a string of assaults geared toward on-line casinos in Southeast Asia for years.
Russian cybersecurity firm Kaspersky mentioned the exercise aligns with one other set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and concentrating on similarities in addition to the abuse of safe messaging purchasers.
“Presumably we’ve got a mixture of espionage and [intellectual property] theft, however the true motivations stay a thriller,” researchers Kurt Baumgartner and Georgy Kucherin said in a technical write-up revealed this week.
The place to begin of the investigation was in November 2021 when Kaspersky mentioned it detected a number of PlugX loaders and different payloads that had been deployed by way of an worker monitoring service and a safety bundle deployment service.
The preliminary an infection technique – the distribution of the framework by safety resolution packages – afforded the menace actor “to carry out cyberespionage actions with some stage of stealth,” the corporate said.
Subsequently, the identical safety bundle deployment service is alleged to have been employed to ship what’s known as the GamePlayerFramework, a C# variant of a C++-based malware often known as PuppetLoader.
“This ‘framework’ contains downloaders, launchers, and a set of plugins that present distant entry and steal keystrokes and clipboard knowledge,” the researchers defined.
Indications are that the DiceyF exercise is a follow-on marketing campaign to Earth Berberoka with a retooled malware toolset, even because the framework is maintained by two separate branches dubbed Tifa and Yuna, which include completely different modules of various ranges of sophistication.
Whereas the Tifa department incorporates a downloader and a core part, Yuna is extra complicated by way of performance, incorporating a downloader, a set of plugins, and at the very least 12 PuppetLoader modules. That mentioned, each branches are believed to be actively and incrementally up to date.
Whatever the variant employed, the GamePlayerFramework, as soon as launched, connects to a command-and-control (C2) and transmits details about the compromised host and the clipboard contents, after which the C2 responds with certainly one of 15 instructions that permit the malware to grab management of the machine.
This additionally contains launching a plugin on the sufferer system that may both be downloaded from the C2 server when the framework is instantiated or retrieved utilizing the “InstallPlugin” command despatched by the server.
These plugins, in flip, make it attainable to steal cookies from Google Chrome and Mozilla Firefox browsers, seize keystroke and clipboard knowledge, arrange digital desktop classes, and even remotely hook up with the machine over SSH.
Kaspersky additionally pointed to using a malicious app that mimics one other software program known as Mango Worker Account Information Synchronizer, a messenger app used on the focused entities, to drop the GamePlayerFramework throughout the community.
“There are numerous attention-grabbing traits of DiceyF campaigns and TTPs,” the researchers mentioned. “The group modifies their codebase over time, and develops performance within the code all through their intrusions.”
“To be sure that victims didn’t change into suspicious of the disguised implants, attackers obtained details about focused organizations (comparable to the ground the place the group’s IT division is situated) and included it inside graphic home windows exhibited to victims.”