Chinese hackers are targeting the gambling industry in Southeast Asia. Researchers report that a hacker campaign is connected to data collection and surveillance operations reported earlier this year.
On Thursday, cybersecurity firm SentinelOne released a report stating that there were hacker attacks on Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables, which resulted in malware that resembled samples used in a recently disclosed operation called by researchers at ESET. The tools used by the hackers were traced back to a Chinese APT organization called Bronze Starlight, which was tracked by security company Secureworks.
In an interview with Recorded Future News, Aleksandar Milenkoski, a senior threat researcher at SentinelLabs, shared that this cyber attack was an example of the intricate Chinese threat ecosystem, which was relying on strong connections between separate threat groups. In addition, the hackers were most likely backed up by shared vendors, digital quartermasters, and maybe even campaigners.
Ever since the crackdown on Macao’s gambling sector, the Southeast Asian gambling industry has been significantly expanding. According to researchers, that explains the targeted hacker attacks by Chinese APt groups. Even though the hacker group seems to be linked to other campaigns, there are several differences that jump off the page. The hacker attacks were tied to Bronze Starlight, which is a group that specializes in espionage but resorts to ransomware to cause distraction.
Chinese Hackers Use Malicious Version of Support Agent to Attack Southeast Asian Gambling Entities
In March, researchers at ESET identified a campaign, which they called Operation ChattyGoblin. It was targeting a Philippines-based gambling company by using malicious versions of a support agent dubbed LiveHelp100.
Following the recent attacks, researchers from SentinelOne reported that they have spotted malware loaders who were closely connected to those observed during the Operation ChattyGobling attacks, which meant that the hackers are most likely involved in the same activity group. Researchers also added that this association was using the same conventions, code, and functional overlaps as the sample, which was covered in the ESET report. Even though the SentinelOne representatives could not definitely determine whether the plugin they have analyzed is the same as the one covered in the ESET report, researchers noted that one of its VirusTotal submissions was dated March of this year and originated from the Philippines.
According to Milenkoski, products by Ivacy, a popular VPN company, were abused during the most recent hacker campaign. Milenkoski explained that Chinese hackers have obtained the code signing keys of PMG PTE LTD, which is Ivacy’s VPN services vendor in Singapore. Milenkoski underlined that VPN providers were the main targets of these attacks as they were giving hackers access to users’ sensitive data and communications.
Another important thing that was emphasized in the report on the campaign was that the malware was built to stop running on devices located in the US, Germany, France, Russia, India, Canada, and the UK. While the tool did not operate as intended in these countries, it definitely indicated the target area.