Online gambling operations in Southeast Asia were subject to advanced persistent threat (APT) attacks for years now, a recent report released by Kaspersky, the leading Russian multinational cybersecurity company, reveals.
Kaspersky Identifies New Hacker Activity
However, researchers at Kaspersky identified a new “GamePlayerFramework” hacker activity deployed by an organization called “DiceyF.” The organization is believed to have distributed malware that targeted online casino operations. By infecting the victim’s systems, DiceyF had ongoing access to their databases. According to the researchers at Kaspersky, such activities have been going on for years now, but this specific GamePlayerFramework is a new piece of software that used a redesigned and rewritten in C# “multistage loaders.”
“We call this APT “DiceyF”. They have been targeting online casinos and other victims in Southeast Asia reportedly for years now,“
reads a report released by Kaspersky
It is likely that the new DiceyF hacker activity aligns with similar resources of “Earth Berberoka/GamblingPuppet” APT activity. Another similar hacker activity that aligns with DiceyF is “DRBControl.” Research shows that those activities align considering the use of malware, among other hacking tools. It is possible that DiceyF leveraged a stolen digital certificate from a messaging application and distributed malware “via an employee monitoring system and a security package deployment service,” Kaspersky explained.
“Possibly we have a mix of espionage and IP theft, but the true motivations remain a mystery,“
adds Kaspersky’s report
The leading Russian cybersecurity company acknowledged that the DiceyF activity may be after intellectual property theft and espionage. But What’s strange with this case is that there’s so far no evidence of cash theft or financial motive behind the recent APT activity.
Final Fantasy Reference
Besides the mystery motivation behind DiceyF activity, researchers identified a peculiar code within GamePlayerFramework. Two different branches were identified, one named “Tifa” and the other, “Yuna.” Tifa and Yuna are references to the famous Final Fantasy series, representing the two main characters.
According to researchers, the Yuna branch featured a downloader, along with plugins and “various PuppetLoader components.” On the other hand, the Tifa branch module included only a downloader in combination with a “core” module. It was identified that the Tifa branch leveraged an application used for secure messaging called Mango.