In the wake of China’s recent crackdown on its Macao-based gambling industry, the Southeast Asian gambling sector has found itself under threat as malicious actors associated with China have ramped up their activities targeting this sector as revealed by cybersecurity researchers at SentinelLabs. 

The malware and infrastructure under scrutiny appear to be part of Operation ChattyGoblin, a series of attacks by China-aligned actors using trojanized chat applications. These indications suggest the involvement of the China-based BRONZE STARLIGHT group, known for their political motivation, which seem to be focused on espionage rather than financial gain and often use ransomware as a smokescreen. 

 One significant aspect of these attacks involves the use of stolen code signing certificates, particularly one attributed to the Ivacy VPN vendor PMG PTE LTD. This technique allows threat actors to sign their malware with legitimate certificates, increasing the likelihood of successful infiltration and evading detection.  

 The use of stolen code signing certificates in these cyberattacks serves as a potent weapon for threat actors, enabling them to cloak their malicious payloads with an aura of legitimacy. By leveraging certificates issued to trusted entities, these attackers can potentially bypass security measures and gain access to systems undetected, underscoring the pressing need for enhanced vigilance and innovative defenses against such deceptive tactics. 

 Furthermore, the malware loaders used in these attacks, named agentupdate_plugins.exe and AdventureQuest.exe, are based on the SharpUnhooker tool, deploying .NET executables to download additional payloads. The payloads in this case were legitimate software from companies such as Adobe, Microsoft, or McAfee that were vulnerable to DLL sideloading attacks.  

 This involves tricking a legitimate executable to load and execute a malicious Dynamic Link Library (DLL), often taking advantage of poor security configurations or search order hijacking, the technique used in this case. This allows the attacker to execute their code within the context of the trusted application, potentially evading detection and gaining unauthorized access to a system. 

 According to SentinelLabs, the DLLs found were variants of the HUI Loader seen used by other China-nexus groups and reported in a string of cyberespionage and ransomware operations.  

 The combination of utilizing stolen code signing certificates alongside the technique of injecting malicious code into legitimate executables creates a potent and insidious threat landscape. By leveraging these tactics, cyber adversaries can effectively disguise their malicious intentions, allowing them to infiltrate systems undetected, bypass security measures, and potentially gain access to sensitive data.  

While the payloads seen in these attacks have zeroed in on the Southeast Asian gambling sector through tactics like geofencing, this convergence of sophisticated methods underscores the critical need for robust cybersecurity strategies. It’s paramount for all industries to maintain continuous monitoring, vigilant software validation, and proactive threat intelligence to counteract the ever-evolving landscape of cyberthreats. 

To stay up to date on all APG intel, follow them on Twitter and Reddit.

Date Published
Aug 23, 2023

By
Blackpoint Cyber

Want something new to listen to?

Check out The Unfair Fight, a podcast by Jon Murchison, where you can hear conversations with experts surrounding geopolitics, high-level performance, entrepreneurship, and cybersecurity.

Subscribe and tune in!