Threat researchers have observed a notorious hacking group named ‘DiceyF’ after noting a spike in attacks against online casino websites in Southeast Asia. The attacks were recorded in November 2021, directing the research team to the threat actor group hailing from China with the intent of cyber espionage.
According to a report by Kaspersky, the DiceyF APT group is not targeting online casinos for financial gains but to garner information via an intellectual property theft campaign. American- Japanese cyber security firm Trend Micro also reported the group’s activities, adding that the threat actor aligns with “Operation Earth Berberoka”, pointing to their Chinese origin.
DiceyF APT group targets online casinos
According to the researchers, the threat group uses payload downloaders and remote access modules for deploying keyloggers, clipboard stealers, and malware launchers in victims’ devices and networks. DiceyF APT group uses a linear method for attacking its victims. It uses a framework named the ‘GamePlayerFramework,’ and a ‘PuppetLoader’ malware, written in C# rewrite of C++ language.
The researchers further analyzed a sample 64-bit .NET file from the threat actors who had two main framework branches — “Tifa” and “Yuna.” Both components were developed separately and had different levels of complexity. Once the framework is deployed on the victim’s computer, it connects to a C2 server, allowing the threat actor to receive XOR-encrypted heartbeat packets every 20 seconds, fetching information about the victim’s name, sessions, size of collected logs, date, and time.
Technical analysis of DiceyF sample malware
The researchers analyzed the malware collected from the DiceyF APT group. The report denoted that C2 could respond with 15 commands and execute an additional command on “cmd.exe,” updating the C2 configuration and downloading a new plugin.
Since the downloaded plugin loads directly into the framework, it evades any detection. Once loaded, the malware can steal cookies from web browsers, snatch clipboard content, run virtual desktop sessions, take screenshots, and more.
Additionally, the researchers found that DiceyF was employing a GUI application that imitates a Mango Employee Data Synchronizer and drops Yuna downloaders inside the company’s network. The employees of online casinos receive the fake Mango app as an installer for a security app, most likely from threat actors using phishing emails.
To give the victim the impression that the app is authentic, it employs social engineering techniques like showing the floor where the target organization’s IT department is located. The program exfiltrated data from the OS, the system, the network, and the Mango messenger by connecting to the same C2 infrastructure as the GamePlayerFramework.
DiceyF has proven to be exceptionally sophisticated in its ability to modify its tools to the peculiarities of each victim, evolving its codebase during the incursion. While not as complex or successful as actual supply chain breaches, these attacks can nonetheless be challenging to identify and thwart, primarily when they target several individuals in a company.
