Operation ChattyGoblin: Hackers Targeting Gambling Firms via Chat Apps
10.5.23 Hacking The Hacker News
A gambling company in the Philippines was the target of a China-aligned threat actor as part of a campaign that has been ongoing since October 2021.
Slovak cybersecurity firm ESET is tracking the series of attacks against Southeast Asian gambling companies under the name Operation ChattyGoblin.
"These attacks use a specific tactic: targeting the victim companies' support agents via chat applications – in particular, the Comm100 and LiveHelp100 apps," ESET said in a report shared with The Hacker News.
The use of a trojanized Comm100 installer to deliver malware was first documented by CrowdStrike in October 2022. The company attributed the supply chain compromise to a threat actor likely with associations to China.
The attack chains leverage the aforementioned chat apps to distribute a C# dropper that, in turn, deploys another C# executable, which ultimately serves as a conduit to drop a Cobalt Strike beacon on hacked workstations.
Also highlighted in ESET's APT Activity Report Q4 2022–Q1 2023 are attacks mounted by India-linked threat actors Donot Team and SideWinder against government institutions in South Asia.
Another set of limited attacks has been tied to another Indian APT group called Confucius that's been active since at least 2013 and is believed to share ties with the Patchwork group. The threat actor has in the past used Pegasus-themed lures and other decoy documents to target Pakistan government agencies.
The latest intrusion, per ESET, involved the use of a remote access trojan dubbed Ragnatela that's an upgraded variant of the BADNEWS RAT.
Elsewhere, the cybersecurity company said it detected the Iranian threat actor referred to as OilRig (aka Hazel Sandstorm) deploying a custom implant labeled Mango to an Israeli healthcare company.
It's worth noting that Microsoft recently attributed Storm-0133, an emerging threat cluster affiliated to Iran's Ministry of Intelligence and Security (MOIS), to attacks exclusively targeting Israeli local government agencies and companies serving the defense, lodging, and healthcare sectors.
"The MOIS group used the legitimate yet compromised Israeli website for command-and-control (C2), demonstrating an improvement in operational security, as the technique complicates defenders' efforts, which often leverage geolocation data to identify anomalous network activity," Microsoft noted, further pointing out Storm-0133's reliance on the Mango malware in these intrusions.
ESET also said an unnamed Indian data management services provider was at the receiving end of an attack mounted by the North Korea-backed Lazarus Group in January 2023 using an Accenture-themed social engineering lure.
"The goal of the attackers was to monetize their presence in the company's network, most likely through business email compromise," the company said, calling it a shift from its traditional victimology patterns.
The Lazarus Group, in February 2023, is also said to have breached a defense contractor in Poland via fake job offers to initiate an attack chain that weaponizes a modified version of SumatraPDF to deploy a RAT called ScoringMathTea and a sophisticated downloaded codenamed ImprudentCook.
Rounding off the list is a spear-phishing activity from Russia-aligned APT groups such as Gamaredon, Sandworm, Sednit, The Dukes, and SaintBear, the last of which has been detected employing an updated version of its Elephant malware framework and a novel Go-based backdoor known as ElephantLauncher.
Other notable APT activity spotted during the time period comprises that of Winter Vivern and YoroTrooper, which ESET said strongly overlaps with a group that it has been tracking under the name SturgeonPhisher since the start of 2022.
Evidence gathered so far points to YoroTrooper being active since at least 2021, with attacks singling out government, energy, and international organizations across Central Asia and Europe.
Public disclosure of its tactics in March 2023 is suspected to have led to a "big drop in activity," raising the possibility that the group is currently retooling its arsenal and altering its modus operandi.
ESET's findings follow Kaspersky's own APT trends report for Q1 2023, which unearthed a previously unknown threat actor christened Trila targeting Lebanese government entities using "homebrewed malware that enables them to remotely execute Windows system commands on infected machines."
The Russian cybersecurity company also called attention to the discovery of a new Lua-based malware strain referred to as DreamLand targeting a government entity in Pakistan, marking one of the rare instances where an APT actor has used the programming language in active attacks.
"The malware is modular and utilizes the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect," Kaspersky researchers said.
"It also features various anti-debugging capabilities and employs Windows APIs through Lua FFI, which utilizes C language bindings to carry out its activities."