Hackers Target Gambling Companies through Chat Apps

A gambling company in the Philippines was targeted by a Chinese-aligned threat actor as part of a campaign that has been underway since October 2021.

Slovak cybersecurity firm ESET tracked a series of attacks on a Southeast Asian gambling company with that name Operation ChattyGoblin.

“This attack employs a specific tactic: targeting the victim company’s support agents via chat applications – in particular, the Comm100 and LiveHelp100 applications,” ESET said in a report shared with The Hacker News.

The use of the Comm100 trojan installer to deliver malware was first documented by CrowdStrike in October 2022. The company attributed the supply chain compromise to a threat actor likely linked to China.

The attack chain leverages the aforementioned chat applications to distribute C# droppers which, in turn, propagate other C# executables, ultimately serving as conduits for dropping Cobalt Strike beacons on hacked workstations.

Also highlighted in ESET’s Q4 2022–Q1 2023 APT Activity Reports are attacks carried out by threat actors linked to India Donot Team and SideWinder against government institutions in South Asia.

Another limited series of attacks have been linked to another Indian APT group called Confucius who has been active since at least 2013 and is believed to share the same ties with the Patchwork group. Threat actors have been used in the past Pegasus themed feed And other feed documents to target Pakistan government agencies.

The latest intrusion, per ESET, involves the use of a remote access trojan dubbed Ragnatela which is an upgraded variant of the BADNEWS RAT.

Elsewhere, the cybersecurity firm said it detected an Iranian threat actor called OilRig (aka Hazel Sandstorm) installing custom implants labeled Mango into Israeli healthcare companies.

It is worth noting that Microsoft recently linked Storm-0133, a new threat group affiliated with Iran’s Ministry of Intelligence and Security (MOIS), to attacks that exclusively targeted Israeli local government agencies and companies serving the defense, lodging and healthcare sectors. .

“The MOIS Group uses legitimate but compromised Israeli websites for command-and-control (C2), demonstrating an increase in operational security, as this technique complicates the efforts of defenders, who often leverage geolocation data to identify anomalous network activity,” Microsoft noted. , further demonstrating Storm-0133’s reliance on the Mango malware in this intrusion.

ESET also said an unnamed Indian data management service provider received an attack carried out by the North Korean-backed Lazarus Group in January 2023 using Accenture-themed social engineering lures.

“The attacker’s goal is to monetize their presence on the company’s network, most likely through compromising business email,” the company said, calling it a shift from its traditional pattern of victimology.

The Lazarus Group was, in February 2023, also said to have violated a defense contractor in Poland through fake job offers to start a chain of attacks arming a modified version of SumatraPDF to deploy a RAT called ScoringMathTea and a sophisticated download codenamed ImprudentCook.

Rounding off the list is spear-phishing activity from Russia-aligned APT groups such as Gamaredon, Sandworm, Sednit, The Dukes, and SaintBear, the last of which was detected using the latest version of Elephant malware framework and the novel Go-based backdoor known as ElephantLauncher.

Other notable APT activity seen during that time period includes Winter Vivern and YoroTrooper, which ESET says overlaps heavily with the group it has been tracking under the SturgeonPhisher name since early 2022.

YoroTrooper has been suspected active since at least 2021, with attacks targeting governments, energy and international organizations across Central Asia and Europe.

The public disclosure of its tactics in March 2023 is alleged to have caused a “severe drop in activity”, raising the possibility that the group is currently retooling its arsenal and changing its modus operandi.

ESET’s findings follow Kaspersky’s findings APT trend report for Q1 2023which uncovered a previously unknown threat actor named Trila targeting Lebanese government entities using “homemade malware that allowed them to remotely execute Windows system commands on infected machines.”

The Russian cybersecurity firm has also called attention to the discovery of a new type of Lua-based malware called DreamLand targeting government entities in Pakistan, marking one of the rare instances where APT actors have used programming languages ​​in active attacks.

“The malware is modular and uses the Lua scripting language together with a Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect,” said Kaspersky researchers.

“It also features various anti-debugging capabilities and uses the Windows API via Lua FFI, which uses C language bindings to carry out its activities.”