Chinese hackers accused of targeting Southeast Asian gambling sector

Hackers based in China are targeting the gambling sector across Southeast Asia in a campaign that researchers say is closely related to data collection and surveillance operations identified earlier this year.

In a report released Thursday by cybersecurity firm SentinelOne, researchers said the hackers abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables to deliver malware that is “closely related” to samples used in an operation identified recently by researchers at ESET. Tooling used in the attacks also drew links to a Chinese APT group called Bronze Starlight tracked by security firm Secureworks.

“This stands as a compelling illustration of the complexity of the Chinese threat ecosystem, marked by substantial cooperation among its constituent threat groups, along with the possibility of shared vendors, digital quartermasters, and/or campaign orchestrators being involved,” Aleksandar Milenkoski, senior threat researcher at SentinelLabs, told Recorded Future News.

The gambling sector across Southeast Asia has flourished since China cracked down on its own Macao-based gambling industry, so the researchers said it's not surprising to see Chinese APT groups target the sector.

Although the group appears to be tied to other campaigns, there are a few differences that stand out. The malware, targets and infrastructure used in the attacks tied it to Bronze Starlight, which focuses on espionage but uses ransomware as a means of distraction or misattribution.

The campaign identified by ESET in March, which they dubbed Operation ChattyGoblin, involved hackers targeting a gambling company in the Philippines with malicious versions of a support agent called LiveHelp100.

“We subsequently identified malware loaders that we assess are closely related to those observed as part of Operation ChattyGoblin and are likely part of the same activity cluster,” SentinelOne researchers said. “This association is based on naming conventions, code, and functional overlaps with the sample described in ESET’s report. Although we cannot conclusively determine whether the agentupdate_plugins.exe we analyzed is the same as that reported by ESET, we note that one of its VirusTotal submissions is dated March 2023 and originates from the Philippines.”

The malicious activity found in the latest campaign is also masked to look like legitimate LiveHelp100 activity.

One of the most notable parts of the new campaign, according to Milenkoski, is the abuse of products from Ivacy, a popular VPN company that has offered low-cost services since 2007.

Milenkoski told Recorded Future News that they observed evidence that the suspected Chinese threat actors have acquired the code signing keys of PMG PTE LTD, a Singapore-based vendor of the Ivacy VPN services.

“Although we are not familiar with the circumstances that have led to this, we emphasize that VPN providers are critical targets,” he said. “They provide threat actors the opportunity to access sensitive user data, communications, and potentially infiltrate VPN-connected networks or systems.”

The report notes that Chinese threat actors are known to steal signing keys but that PMG PTE has not publicly addressed the issue. The company did not respond to requests for comment. The DigiCert Certificate Authority has revoked the compromised certificate used in the campaign after “a public discussion on the issue,” the researchers said.

Another interesting aspect of the campaign is that the malware is built so that it stops executing if it’s run on a device in the United States, Germany, France, Russia, India, Canada, or the United Kingdom. The tool does not work as intended, but the researchers said it indicates the focus of the campaign.

The use of HUI Loader also stood out to the researchers, who explained that the custom malware is used widely among Chinese hackers. So far, HUI Loader has been seen used by APT10 during cyberespionage activities in Southeast Asia since April 2019 as well as during long-running cyberespionage campaigns targeting Japanese companies.

Anonymous research group IntrusionTruth revealed in 2018 that APT10 was based in Tianjin, China and allegedly operated out of the Tianjin State Security Bureau, a regional arm of the Chinese Ministry of State Security.

HUI Loader was also used in ransomware campaigns from groups like LockFile, AtomSilo, NightSky, LockBit 2.0 and Pandora. Several of these ransomware strains have been used by Bronze Starlight hackers, according to Secureworks and Microsoft.

“It is noteworthy that Chinese cyber espionage threat actors are progressively refining their operational tactics in manners that obfuscate clear attribution through publicly available intelligence sources alone,” the researchers said.