Experts from Trend Micro and Talent-Jump noted that since the summer of 2019, Chinese hackers have been attacking gambling and online betting sites in Southeast Asia. Unconfirmed rumors of hacking also came from countries in Europe and the Middle East.
According to the researchers, the DRBControl group is behind the detected incidents. Hackers steal company databases and source codes, but not money, that is, the main purpose of these attacks, apparently, is espionage.
DRBControl's tactics are very similar to the tools and techniques used by other government hack groups from the Middle Kingdom: Winnti and Emissary Panda. However, at present it is impossible to judge whether DRBControl is acting independently or by order of the authorities. For example, last year, FireEye experts wrote that some Chinese groups, in their free time, carry out attacks for their own benefit.
Overall, DRBControl attacks are neither complex nor unique. They start with phishing emails directed to future victims. Through such messages, employees of targeted companies receive malicious documents, and then backdoor Trojans. This malware relies on Dropbox to operate as a command and control server, as well as to store payloads and stolen data. This is where the name of the grouping comes from - DRBControl (DRopBox Control).
Backdoors hosted on the affected companies' networks are then used to download other hacking tools and malware that are already being used to move laterally around the network in search of valuable information that can be stolen. So, among the tools used by DRBControl, the following were noticed:
- tools for scanning NETBIOS servers;
- tools for brute force attacks;
- tools to bypass Windows UAC;
- tools for elevating privileges on an infected host;
- tools for stealing passwords from infected hosts;
- tools to steal data from the clipboard;
- tools for downloading and executing malicious code on infected hosts;
- tools for getting the public IP address of a workstation;
- tools for creating tunnels to external networks.
Since DRBControl attacks continue to this day, specialists from both companies included indicators of compromise in their reports, which administrators are advised to pay attention to.
Last edited by a moderator:
