Chinese APTs Performing Ransomware Attacks Using Legitimate Tools

An infamous hacker group from China is actively attacking gambling and other online betting sites in South East Asia. The group, DRBControl was once said to be attacking behalf of China, but now is hacking on its own interest. It’s found to be stealing source codes and database from victims rather than money.

Trend Micro and Talent-Jump has reviewed this group and exposed their operation. DRBControl is said to be playing the same tactics as Winnti and Emissary Panda, which are Chinese state-backed groups. But now, as per FireEye reports, the group may not be associated with China and could be attacking out if its own interest.

Chinese Hacking Group has Hacked Southeast Asian Online Betting Sites
Chinese Hacking Group has Hacked Southeast Asian Online Betting Sites (Image via ft.com)

Since summer 2019, DRBControl is actively breaching into networks of several online betting and gambling sites and stealing their sensitive databases and source codes. This may seem typical, but gaining such deep secrets can help them analyse how their system works and trick playing methods to gain money later, eventually. While current reports say only sites based in South East Asia were being affected, unconfirmed rumours say the group hacked European and the Middle East sites too.

Operation flow

The group follows a very much common method in Cybercrime space – Spear Phishing to attacks its targets. It first sends a crafted email to any of the company’s employees to lure and let them click on malicious links or attachments. And that downloads a payload which relies on Dropbox for its operations! Usage of this wasn’t expected, isn’t it?

The malware trojan creates a backdoor in Dropbox, where it uses its hosting, file-sharing services, communicating with C2C server, dumping another payload and even storing the stolen data! The critical usage of this is the reason why this group’s named as DRBControl (DRopBox Control).

Between July and September 2019, DRBControl has infected hundreds of computers. It’s said to be hacked over 200 computers by using one Dropbox account and another 80 computers in another account. The group’s capable of stealing info from the clipboard, creating network traffic tunnels, scan NETBIOS servers, dump passwords and even carry a brute force attack.

LEAVE A REPLY

Please enter your comment!
Please enter your name here