A sophisticated cyberattack campaign emanating from China is currently targeting the gambling industry across Southeast Asia, employing Cobalt Strike beacons to infiltrate compromised systems. According to cybersecurity experts at SentinelOne, the indicators and methodologies associated with this operation suggest involvement from a threat actor group identified as Bronze Starlight, also known as Emperor Dragonfly or Storm-0401. This group is linked to the use of transient ransomware strains, which appear to serve as a diversion for their underlying espionage objectives.
Research conducted by SentinelOne reveals that these attackers exploit vulnerabilities in widely-utilized software applications, specifically Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan. By leveraging DLL hijacking techniques, they manage to deploy Cobalt Strike beacons on targeted machines. Aleksandar Milenkoski and Tom Hegel, the researchers behind this analysis, emphasize the targeted nature of these tactics, detailing how they exploit the weaknesses in operating systems to execute their malicious payloads.
Notably, this campaign overlaps with a separate intrusion cluster termed Operation ChattyGoblin, documented by ESET. The similarities extend to a previously disclosed supply chain attack, which involved a compromised installer of the Comm100 Live Chat application that disseminated a JavaScript backdoor to its users. This exemplifies the systemic challenges posed by interconnected threat vectors within this landscape.
Determining the exact affiliation of these cyberattackers is fraught with complications due to the extensive infrastructure and malware sharing commonplace among numerous Chinese state-sponsored groups. The attackers are known to deploy modified installers for chat applications, which serve as conduits for a .NET malware loader. This loader is designed to fetch a secondary stage ZIP file from Alibaba storage solutions, a repository that enhances the stealth of their operations.
The contents of the ZIP archive include a genuine executable known to be vulnerable to DLL search order hijacking, alongside a malicious DLL that is activated when the legitimate executable is run. Additionally, an encrypted file named agent.data supports the operation by providing the necessary data for executing Cobalt Strike beacons. This intricate web of execution highlights the sophistication of the attack, relying on legitimate software to obscure malicious intent.
SentinelOne researchers explain that the malware loader executes through the side-loading of these legitimate executables, which are structured to decrypt and run the buried code from the data file. This layered approach exemplifies the technical ingenuity employed in these cyber operations.
Interestingly, the attacks incorporate a geofencing mechanism, attempting to halt execution on systems located in specific jurisdictions such as Canada, France, Germany, India, Russia, the United Kingdom, and the United States. This geographical limitation underscores the campaign’s focused intent, potentially targeting regional vulnerabilities while circumventing defenses in these nations.
Further investigation into one of the loaders, dubbed “AdventureQuest.exe,” revealed that it was signed with a certificate that was allegedly compromised from Ivacy VPN, a Singapore-headquartered provider. As a result of this breach, Digitcert revoked the certificate in June 2023, further signifying the pervasive risks associated with supply chain vulnerabilities.
The DLL files involved in the side-loading process are variants of the HUI Loader, a custom malware loader that has been successfully utilized by multiple Chinese hacking groups, including APT10, Bronze Starlight, and TA410. The overlap in behavioral patterns and tooling among these groups illustrates the collaborative nature of threat operations emanating from this region.
As cyber threats continue to evolve, the interconnected infrastructure shared among these China-nexus actors not only complicates attribution efforts but also heightens the volatility of the cybersecurity landscape. Business owners and cybersecurity professionals must remain vigilant and informed about the tactics and techniques outlined in frameworks like MITRE ATT&CK, particularly initial access and persistence methods, to better safeguard against such sophisticated attacks.
In summary, the current campaign targeting Southeast Asia’s gambling sector exemplifies the intricate and coordinated nature of state-sponsored cyber threats, underscoring the necessity for robust cybersecurity measures in combating such risks.
