A gambling company in the Philippines was targeted by a China-aligned threat actor as part of a campaign that has been ongoing since October 2021.
Slovakian cybersecurity firm ESET is tracking a series of attacks on South East Asian gambling firms under the name Operation ChattyGoblin.
“These attacks use a specific tactic: targeting support agents at victim companies via chat applications, in particular the Comm100 and LiveHelp100 applications,” ESET said in a report shared with The Hacker News.
CrowdStrike first documented the use of a Comm100 Trojan installer to deliver malware in October 2022. The company attributed the supply chain compromise to a threat actor likely with associations in china
The attack chains leverage the chat applications mentioned above to distribute a C# dropper that in turn deploys another C# executable, which ultimately serves as a conduit to drop a Cobalt Strike beacon on hacked workstations.
Also highlighted in the ESET APT Activity Report Q4 2022–Q1 2023 are attacks carried out by India-linked threat actors Donot Team and SideWinder against government institutions in South Asia.
Another set of limited attacks has been linked to another Indian APT group called Confucius that has been active since at least 2013 and is believed to share ties with the Patchwork group. The threat actor has used Pegasus-themed decoys and other decoy documents in the past to attack government agencies in Pakistan.
The latest intrusion, according to ESET, involved the use of a remote access trojan called Ragnatela which is an updated variant of the BADNEWS RAT.
Elsewhere, the cybersecurity firm said it detected the Iranian threat actor known as OilRig (aka Hazel Sandstorm) deploying a custom implant labeled Mango to an Israeli healthcare company.
It is worth noting that Microsoft recently attributed Storm-0133, an emerging threat cluster affiliated with Iran’s Ministry of Intelligence and Security (MOIS), to attacks exclusively targeting Israeli local government agencies and companies serving the defense, accommodation and health sectors.
“The MOIS group used the legitimate but compromised Israeli website for command and control (C2), demonstrating an improvement in operational security as the technique complicates the efforts of defenders, who often leverage geolocation data to identify the “Anomalous network activity,” Microsoft noted. , further noting Storm-0133’s reliance on the Mango malware in these intrusions.
ESET also said an unnamed Indian provider of data management services was on the receiving end of an attack carried out by the North Korean-backed Lazarus group in January 2023 with a social engineering decoy themed accent
“The attackers’ goal was to monetize their presence on the company’s network, most likely through a compromise of business email,” the company said, calling it a shift from its traditional victimology patterns .
The Lazarus Group, in February 2023, is also said to have breached a defense contractor in Poland using fake job offers to start an attack chain that weaponizes a modified version of SumatraPDF to deploy a RAT called ScoringMathTea and a sophisticated downloaded codenamed ImprudentCook.
Rounding out the list is phishing activity from Russia-aligned APT groups such as Gamaredon, Sandworm, Sednit, The Dukes and SaintBear, the latest of which was detected using an updated version of its Elephant malware framework and a new Go. -backdoor known as ElephantLauncher.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
Other notable APT activity detected during the time period includes that of Winter Vivern and YoroTrooper, which ESET said overlaps strongly with a group it has been tracking under the name SturgeonPhisher since early 2022.
YoroTrooper is suspected of being active since at least 2021, with attacks targeting government, energy and international organizations in Central Asia and Europe.
The public disclosure of its tactics in March 2023 is suspected to have led to a “major drop in activity”, raising the possibility that the group is updating its arsenal and altering its modus operandi.
ESET’s findings follow Kaspersky’s APT trends report for the first quarter of 2023, which discovered a previously unknown threat actor dubbed Trila targeting Lebanese government entities using “homemade malware that allows them to run remotely execute Windows system commands on infected machines.”
The Russian cybersecurity firm also drew attention to the discovery of a new strain of Lua-based malware called DreamLand targeting a government entity in Pakistan, marking one of the rare cases where an APT actor has used the language programming in active attacks.
“The malware is modular and uses the Lua scripting language together with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect,” Kaspersky researchers said.
“It also has various anti-debugging capabilities and uses Windows APIs through Lua FFI, which uses C language bindings to perform its activities.”
Gambling firms are increasingly becoming targets of malicious hackers looking to capitalize on vulnerable networks and accounts. With the rise of online gambling operators, hackers have discovered new and easy ways to target those companies and those who use the services. In recent months, one common strategy used by hackers has been to infiltrate chat applications and networks used by gambling firms, hijacking accounts and personal data in the process.
The malicious activity on chat apps is often difficult to identify, and can trace back to various types of malicious software. A specific type of malware known as “chatware” is often used to gain access to private conversations, which can then be leveraged to steal sensitive information. Once the hacker has access to private conversations, it can be difficult for gambling firms to identify the activities and take the necessary steps to protect their systems.
At Ikaroa, it is our mission to provide our clients with the strongest tools available to stay ahead of emerging cyber threats. Our experienced team of security professionals are constantly focused on researching and developing new security protocols and technologies to combat malicious actors online. We provide our clients with the latest cybersecurity systems and training to ensure that their accounts and networks are monitored and protected year-round.
Gambling operators must be prepared to face potential cyber threats and take the necessary precautions to ensure the secure access to their networks and accounts. With platforms such as chat apps becoming more and more of a target for hackers, it is important for companies to stay proactive in order to provide a secure environment for their customers. By utilizing our cutting-edge cybersecurity solutions and training, Ikaroa can help ensure the protection of networks and customer privacy across all gambling firms.