A series of cyberattacks against online casinos in Southeast Asia for years have been attributed to a Chinese-based advanced persistent threat (APT) organization with the codename DiceyF. According to the Russian cybersecurity firm Kaspersky, the behavior is consistent with another series of breaches linked to Earth Berberoka (also known as GamblingPuppet) and DRBControl, noting similar tactics and targets as the misuse of secure messaging clients.
“Possibly we have a mix of espionage and [intellectual property] theft, but the true motivations remain a mystery,” researchers Kurt Baumgartner and Georgy Kucherin said in a technical write-up released this week.
Kaspersky said that an employee monitoring service and a security package distribution service were used to deliver several PlugX loaders and other payloads, which is where the inquiry got its start in November 2021. The business further said the threat actor could carry out cyberespionage operations with a certain amount of stealth thanks to the original infection approach, which involved the framework’s dissemination through security solution packages. The GamePlayerFramework, a C# counterpart of the C++-based malware known as PuppetLoader, is then believed to have been sent via the same security package distribution service.
“This ‘framework’ includes downloaders, launchers, and a set of plugins that provide remote access and steal keystrokes and clipboard data,” explained the researchers.
Even if the framework is maintained through two distinct branches called Tifa and Yuna, which come with many modules of varying degrees of complexity, there are indications that the DiceyF activity is a follow-on campaign to Earth Berberoka, with a retooled malware toolkit. With a downloader, a collection of plugins, and at least 12 PuppetLoader modules, Yuna is more functionally complicated than the Tifa branch, which has a downloader and a core component. Nevertheless, it is thought that both branches are being updated gradually and aggressively.
Whatever the variation used, the GamePlayerFramework communicates to a command-and-control (C2) after being activated and transmits data about the infected host and the clipboard’s contents. The C2 then answers with one of 15 commands that enable the malware to take control of the computer. This also entails starting a plugin on the victim system, which may be done by downloading it from the C2 server when the framework is launched or using the “InstallPlugin” command the server sends.
In turn, these plugins allow for the theft of cookies from the Google Chrome and Mozilla Firefox web browsers, recording keystrokes and clipboard data, creating virtual desktop sessions, and even establishing remote SSH connections to the system. Kaspersky also indicated that a messaging app used by the targeted businesses, Mango Employee Account Data Synchronizer, was impersonated by a malicious app to introduce the GamePlayerFramework into the network.
The researchers noted that DiceyF campaigns and TTPs had various intriguing features. The group changes their codebase over time and adds functionality due to invasions. Attackers acquired details about the targeted organizations (such as the floor where the organization’s IT department is situated). They placed them into graphic windows shown to victims to ensure that victims would not grow suspicious of the disguised implants.