A hacking group named ‘DiceyF’ has been observed deploying a malicious attack framework against online casinos based in Southeast Asia since at least November 2021.
According to a new report by Kaspersky, the DiceyF APT group does not appear to be targeting financial gains from the casinos but instead conducting stealthy cyberespionage and intellectual property theft.
The DiceyF activity aligns with “Operation Earth Berberoka” reported by Trend Micro in March 2022, both pointing to the threat actors being of Chinese origin.
The attack framework used by the APT is named ‘GamePlayerFramework’, and is a C# rewrite of the C++ malware ‘PuppetLoader.’
The framework features payload downloaders, malware launchers, plugins, remote access modules, keyloggers, clipboard stealers, and more.
The most recent executables sampled by Kaspersky are 64-bit .NET files, but there are also 32-bit executables and DLLs in circulation.
The framework maintains two branches, namely “Tifa” and “Yuna,” which are developed separately and feature different levels of sophistication and complexity. “Yuna” is the more sophisticated of the two, also observed in the wild later.
After the framework is loaded on the target’s machine, it connects to the C2 server and sends XOR-encrypted heartbeat packets every 20 seconds, containing the victim’s username, user session status, size of collected logs, and current date and time.
The C2 can respond with a set of 15 commands that may order the framework to collect additional data, execute a command on “cmd.exe”, update the C2 configuration, and download a new plugin.
Any plugins downloaded from the C2 are loaded directly into the framework without touching the disk to minimize the likelihood of detection.
Their functions include stealing cookies from Chrome or Firefox, snatching clipboard contents, establishing virtual desktop sessions, snapping screenshots, performing port forwarding, and more.
Fake Mango app
Kaspersky has also discovered that DiceyF is using a GUI app that mimics a Mango Employee Data Synchronizer, which drops Yuna downloaders within the organization’s network.
The fake Mango app reaches employees of the casino firms as an installer of a security app, likely sent by the threat actors via phishing emails.
The fake app uses social engineering tactics like displaying the floor where the target organization’s IT department is housed to give the victim the illusion of legitimacy.
The app connects to the same C2 infrastructure as the GamePlayerFramework, and exfiltrates OS, system, network data, and Mango messenger data.
“The code is under continuous incremental change, and its versioning reflects a semi-professional management of the codebase modifications,” explains Kaspersky.
“Over time, the group added Newtonsoft JSON library support, enhanced logging, and encryption for logging.”
Kaspersky comments that using a visible window doesn’t make it suitable only for tricking employees but also good against AVs, which generally treat GUI-based tools with less suspicion.
To make the tool even stealthier against security tools, the threat actors have signed it with a stolen valid digital certificate, the same one used for the framework too.
In conclusion, DiceyF has demonstrated excellent technical capacity to adjust its tools to the oddities of each victim, transforming its codebase over time as the intrusion progresses.
While these attacks are not as sophisticated or effective as actual supply chain breaches, they can still be tough to detect and stop, especially when they target multiple employees in an organization.