Experts at Trend Micro and Talent-Jump drew attentionthat since the summer of 2019, Chinese hackers have been attacking sites for gambling and online betting in Southeast Asia. Unconfirmed rumors of hacking have also come from countries in Europe and the Middle East.
According to researchers, the DRBControl group is behind the detected incidents. Hackers steal company databases and source codes, but not money, that is, the main purpose of these attacks, apparently, is espionage.
The tactics of DRBControl are very similar to the tools and methods used by other government hack groups from the Middle Kingdom: Winnti and Emissary Panda. However, it is currently impossible to judge whether DRBControl is acting independently or by order of the authorities. So, last year, FireEye experts wrote that some Chinese groups, in their free time, conduct attacks for their own benefit.
In general, DRBControl attacks are neither complex nor unique. They begin with phishing emails sent to future victims. Through such messages, employees of target companies receive malicious documents, and then backdoor trojans. In the work, such a malware relies on Dropbox, which is used as a management server, as well as for storing payloads and stolen data. This is where the name of the group comes from – DRBControl (DRopBox Control).
Then the backdoors located on the networks of the affected companies are used to download other hacker tools and malware, which are already used to move sideways on the network, in search of valuable information that can be stolen. So, among the tools used by DRBControl were seen:
- tools for scanning NETBIOS servers;
- tools for brute force attacks;
- Tools to bypass Windows UAC
- tools for escalating privileges on an infected host;
- tools for stealing passwords from infected hosts;
- clipboard theft tools;
- tools for downloading and executing malicious code on infected hosts;
- tools for obtaining the public IP address of the workstation;
- tools for creating tunnels to external networks.
Researchers at Talent-Jump write that they closely watched the group's activities from July to September 2019. During this time, hackers managed to infect about 200 computers using one Dropbox account, and about 80 more machines were compromised through another Dropbox account.