Chinese entanglement - DLL hijacking in the Asian gambling sector
August 2023 by SentinelOne
Thriving after China’s crackdown on its Macao-based gambling industry, the Southeast Asian gambling sector has become a focal point for the country’s interests in the region, particularly data collection for monitoring and countering related activities in China.
SentinelLabs observed malware and infrastructure likely related to China-aligned activities targeting this sector. The malware and infrastructure the team analysed are related to indicators observed in Operation ChattyGoblin and are likely part of the same activity cluster. Operation ChattyGoblin is ESET’s name for a series of attacks by China-nexus actors targeting Southeast Asian gambling companies with trojanised Comm100 and LiveHelp100 chat applications.
The targeting, malware, and C2 infrastructure speciﬁcs point to past activities that third parties have linked to the China-aligned BRONZE STARLIGHT group (also known as DEV-0401 or SLIME34). This is a suspected Chinese ‘ransomware’ group whose main goal appears to be espionage rather than ﬁnancial gain, using ransomware as means of distraction or misattribution. Team T5 has also reported on BRONZE STARLIGHT’s politically-motivated involvement in targeting the Southeast Asian gambling industry.
Despite the indicators observed, accurate clustering remains challenging. The Chinese APT ecosystem is plagued by extensive sharing of malware and infrastructure management processes between groups, making high conﬁdence clustering diﬃcult based on current visibility. SentinelLabs’ analysis has led the team to historical artefacts that represent points of convergence between BRONZE STARLIGHT and other China-based actors, which showcases the complexity of a Chinese threat ecosystem composed of closely aﬃliated groups.
• SentinelLabs has identiﬁed suspected-Chinese malware and infrastructure potentially involved in China-associated operations directed at the gambling sector within Southeast Asia.
• The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons.
• SentinelLabs observed related malware using the signature of a likely stolen code signing certiﬁcate issued to PMG PTE LTD, a Singapore-based vendor of Ivacy VPN services.
• Indicators point to the China-aligned BRONZE STARLIGHT group; however, the exact grouping remains unclear due to the interconnected relationships among various Chinese APT groups.
China-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and continue to do so. The activities this post discusses illustrate the intricate nature of the Chinese threat landscape.
A better understanding of this landscape is essential for keeping up with its dynamics and improving defence strategies. Achieving this necessitates consistent collaborative and information-sharing efforts. SentinelLabs remains dedicated to this mission and
continues to closely monitor related threats.