----- **TREND MICRO LEGAL DISCLAIMER** The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition. Published by ###### Trend Micro Research Written by ###### Daniel Lunghi Jaromir Horejsi Stock image used under license from Envato.com ### Contents #### 4 ###### Targets #### 6 ###### Technical Analysis #### 36 ###### Attribution #### 38 ###### Conclusion ----- In recent years, there has been an advent of new technologies that power e-gambling websites and applications, causing the online gambling market to continuously grow. In fact, this market is expected to be valued at more than US$92.9 billion by 2023.[1] And when the Covid-19 pandemic happened, online gambling numbers soared even higher. According to a study conducted by the University of Bristol and published in the Journal of Gambling Studies, gamblers were more than six times more likely to participate in online gambling activities compared to before the pandemic struck.[2] Because malicious actors tend to follow the money trail, it is not at all surprising that the online gambling industry has been targeted by cybercriminals. In 2020, we reported on Operation DRBControl, an advanced persistent threat (APT) group that used malware in a cyberespionage campaign aimed at gambling companies in Southeast Asia.[3] And in 2021, Akamai reported that a European gambling company suffered a distributed denial- of-service (DDoS) attack that peaked at a whopping 800 gigabits per second.[4] We discovered an APT group that we have dubbed Earth Berberoka (aka GamblingPuppet). Based on our analysis, this APT group targets gambling websites. Our investigation also shows that this group’s campaign uses multiple malware families that target the Windows, Linux, and macOS platforms, and that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which we have dubbed PuppetLoader. In this report, we present a detailed technical analysis of the different malware families that Earth Berberoka uses on the three platforms that it targets. We also provide details on the infection vectors used by the group and information on other cybercriminal groups to which Earth Berberoka is potentially linked. ----- ## Targets We believe that Earth Berberoka’s primary targets have been gambling websites in China, but we also have evidence that the group has also targeted one government institution related to education, two IT services companies, and one electronics manufacturing company. From Dec. 12, 2020, to April 29, 2022, we noted 15 downloads of a fake Adobe Flash Player installer in China. We also saw eight redirects from certain websites to the malicious Adobe Flash Player website (five from a legitimate news website in the US and three from an unknown website, two of which were from Hong Kong and one from Malaysia), and one PlugX DLL detection in Taiwan. (In the context of this campaign, a redirect means an HTTP request to the script that redirects to the fake Adobe Flash Player installer. The script itself is hosted in a third-party server. Earth Berberoka thus compromises a website, inserts in that compromised website a redirection to a third-party website, and that third-party website redirects to the website hosting the fake Adobe Flash Player installer. We explain this mode of infection further in the “Infection Vectors” subsection of this report.) ###### China US Hong Kong Malaysia Taiwan ###### 15 5 2 1 1 Figure 1. Earth Berberoka telemetry hits from Dec. 12, 2020, to April 29, 2022 We also retrieved logs generated by Earth Berberoka’s keyloggers that showed a hosting provider from Malaysia that was being compromised. A similar log file found in the wild contained an IP address belonging to a Chinese gambling website. A third log file contained the login page URL of another Chinese gambling website. These two files reinforced our belief that the gambling industry had indeed been at the crosshairs of this campaign. ----- Another hint of Earth Berberoka’s targeted countries can be found in one of the backdoored applications that the group has used. The registration process is restricted to countries in North America and countries in Asia, including China, Hong Kong, Macao, Taiwan, the Philippines, Japan, and South Korea. A detailed explanation can be found in the “Infection Vectors” subsection of this report. The last hint resides in the decrypted configuration files from samples of two malware families used by Earth Berberoka to target the Linux platform, Xnote and HelloBot. These samples contain some words that might relate to gambling companies, such as “caipiao”, which translates to “lottery,” and “Yabo”, which could refer to a gambling website. Other decrypted configuration files contain keywords that are related to a Russian defense company, which we have elected not to disclose. This proves that Earth Berberoka also targets other, sensitive industries. ----- ## Technical Analysis ##### Malware Toolkit From our investigation, we found that Earth Berberoka uses multiple malware families that target the Windows, Linux, and macOS platforms. We found most of these malware families via shared back-end infrastructure, specifically by pivoting on domains and malware samples. In this subsection, we provide an analysis of each of the malware families that we found for each platform. ###### Windows Platform PuppetLoader We discovered that Earth Berberoka has developed a new complex, multistage malware family, which we have dubbed PuppetLoader. This loader uses some interesting techniques: It hijacks loaded modules to launch malicious code, and hides malicious payloads and modules in modified bitmap image (BMP) files. We present our analysis of PuppetLoader’s stages in the succeeding subsections: - Stage 1: Obfuscator and Loader - Stage 2: Dropper (drops BasicLoader plus encrypted Core and Client.MainConsole) - Stage 3: BasicLoader (loads Core) - Stage 4: Core (loads Client.MainConsole) - Stage 5: Client.MainConsole ###### Stage 1: Obfuscator and Loader **Incorrect RC4 Implementation** In this stage, a blob of payload data is decrypted using a hard-coded key (2726c6aea9970bb95211304705b5f595) and what appears to be an RC4 (Rivest Cipher 4) algorithm. However, our analysis shows that the cipher is implemented incorrectly: Only the headers and first few sections of the payload were properly encrypted, and the latter sections were left almost entirely in clear text. This behavior is caused by the improper implementation of the “swap” operation in the pseudorandom generation part of the cipher code. ----- It seems that this hard-coded key and this flawed RC4 implementation were also used in a malware family named TigerPlug[5] (probably because it spreads the PlugX malware). We found no public reporting of its behavior and features. **Hijacking Loaded Module** After the payload is decrypted, PuppetLoader loads the payload in the machine’s memory and executes it. PuppetLoader uses a stealthy hijacking method: It starts by loading a legitimate DLL from the Windows\System32 directory, and then hijacks the loading process and replaces the content of the legitimate library with malicious data. The loader achieves this task by hooking several NTDLL APIs, such as NtQueryAttributesFile, NtOpenFile, NtCreateSection, NtMapViewOfSection, NtQuerySection, and ZwClose. To avoid recursive hooking, which occurs when the hooked function indirectly calls itself, the loader uses undocumented NDTLL APIs, namely, RtlPushFrame, RtlPopFrame, and RtlGetFrame. These APIs are specifically designed to prevent recursive hooking from happening. The loader allocates a frame tagged as “LDFM” and fills it with the necessary parameters to properly load the malicious payload. Some parameters are set immediately, while others are set later, after their values are identified. These parameters include file names’ memory addresses and allocated buffer handles or addresses that contain the malicious payload. Figure 2. The LDFM loading frame The loader calls the LdrLoadDll API to load a legitimate asycfilt.dll library. It then calls previously hooked API functions, resulting in the loaded DLL name’s being replaced with lz32.dll, which is a legitimate DLL. Then, it replaces the content of the loaded lz32.dll with a malicious payload that is inside the hooked NtMapViewOfSection function. Afterward, the LdrLoadDll function rebases the newly loaded malicious image and loads all of the required dependencies. After the handle is returned from LdrLoadDll, PuppetLoader does not need the frame anymore, so it pops the frame by calling RtlPopFrame, unhooks previously hooked functions, and verifies whether the loading is successful or not by calling GetModuleHandleW (asycfilt.dll). ----- In the last step, PuppetLoader dynamically resolves the export function called Install and sets the parameter value to “11BF29E1371C0D83C530BD1BF346”, which decrypts to a function called OneTime. For its command-line parameters, PuppetLoader uses the same flawed RC4 implementation using the password “whk0q9ogev6ofg8d”. These hijacking steps result in the following: - The loaded asycfilt.dll can be seen by parsing the PEB_LDR_DATA[6] structure containing all loaded modules in the current process. Figure 3. asycfilt.dll shown among loaded module names - The process monitoring tools report that one of the opened files is lz32.dll. Figure 4. Lz32.dll shown among opened files - The payload that is loaded is none of the previously mentioned libraries but is actually PuppetLoader’s dropper. ###### Stage 2: Dropper The dropper creates and drops several files in an infected machine. **File** **Function** CpuppetProcessFileSharer Used for sharing data during the different infection stages Config.ini Saves the execution reason and the globally unique identifier (GUID) value based on ComputerName MSVCPX00.dll DLL file of BasicLoader verisign.bmp BMP file with encrypted Core bitmap.bmp BMP file with encrypted Client.MainConsole Table 1. The files created and dropped by the dropper |File|Function| |---|---| |CpuppetProcessFileSharer|Used for sharing data during the different infection stages| |Config.ini|Saves the execution reason and the globally unique identifier (GUID) value based on ComputerName| |MSVCPX00.dll|DLL file of BasicLoader| |verisign.bmp|BMP file with encrypted Core| |bitmap.bmp|BMP file with encrypted Client.MainConsole| ----- The malware inserts the hard-coded GUID ({78106D5F-CD1A-A8C4-A625-6863092B4BBA}) into CPuppetProcessFileSharer (C:\\Users\\Public\\Pictures\\Desktop.inf), likely as a marker that stage 2 has been completed. Config.ini (C:\Users\Public\Videos\Config.ini) contains the GUID and the reason, which is the hard-coded value “StartupBasicLoader” encrypted using the key “whk0q9ogev6ofg8d”. The dropper then starts svchost.exe in suspended mode with this command-line parameter: -cmd -NoModuleLoadDLL -DisplayName=KeepAuthority.Client.MainConsole.x64.Release -InvokeMethodName=Run -InokeMethodParam=NULL The dropper also encrypts it with the key “whk0q9ogev6ofg8d” and creates a new thread within svchost.exe to make it load MSVCPX00.dll, which is the BasicLoader payload. It is interesting to note that there is a typographical error in “-InokeMethodParam”. ###### Stage 3: BasicLoader The BasicLoader stage starts by adding a hard-coded GUID ({78106D5F-CD1A-A8C4-A625 6863092B4BBA}) into CPuppetProcessFileSharer, likely as a marker that stage 3 has started running. BasicLoader then searches for BMP files across directories in Users\\Public, such as Desktop, Documents, Downloads, Music, Pictures, and Videos. It performs a series of checks for each of the BMP file that it finds. If a BMP file passes those checks and has the required structure, then BasicLoader decrypts, loads into memory, and executes the payload appended to the BMP file. As it turns out, the actual BMP file is tiny: It is made up of only 33 by 11 pixels and 338 bytes. The data appended to it is the payload, encrypted with the same flawed RC4 implementation. Figure 5. A small BMP file, to which the encrypted payload is appended ###### Stage 4: Core The Core stage starts by adding a hard-coded GUID ({7D8DA9DC-1F3B-2E5C-AA59-9418E652E4AA}) into CPuppetProcessFileSharer. Similar to the other stages, this is likely a marker that stage 4 has started running. ----- Then, the malware starts a system logger thread, where the logged information, which can come from other modules or processes, is received via a pipe and is saved to a file with a hard-coded name. Each entry in the log file is separated by a separator (0xAABBCCDD), followed by a custom RC4 password and message length. The decrypted log can include information about which module was run, with which parameters, and at which stage (GUID from CPuppetProcessFileSharer) the action was performed. Figure 6. The decrypted log from Core The Core stage is run with these command-line arguments: - -DisplayName - -InokeMethodParam (sic) - -InvokeMethodName - -NoModuleLoadDLL - -LoadShellcode -NoModuleLoadDLL uses the same technique as the stage 1 loader, while -LoadShellcode allocates a memory block, copies shellcode, and executes it. The other arguments are self-explanatory. ###### Stage 5: Client.MainConsole Client.MainConsole is the main client binary, which is the last stage of PuppetLoader’s infection chain. The client is written in C++ and the code is structured in several classes that handle different tasks, such as managing the interactive shell, uploading and downloading files, installing new modules, monitoring victim behavior, and executing callback functions when conditions are met. - CPipeCmdManager – interactive shell manager Arguments: -flushusersession -createcmd -destorycmd (sic) ----- -excutecmd -cmdkeepalive - CommonLib::CcmdMulArgDecoder – command-line argument decoder, additional module related to command-line arguments Arguments: -ModuleLog -LogText -ModuleID -ModuleVersion -MountStatus -Path -IsDelete -ModuleKeepAlive -UploadFile The client then establishes communication with a command-and-control (C&C) server via UDP (User Datagram Protocol) and recognizes different types of custom UDP packets. **UDP packet** **Description** RemoteModuleCommandPacket Command to be executed by interactive shell RemoteModuleCommandResultPacket Result of running shell command FileTransferContent_Packet Determines whether to upload or download a file UploadFilePacket Uploaded file content FileManage_FolderContent_Packet Folder content VecProcessPacket Vector object with running processes InstallModulePacket BMP file with encrypted module to be installed RemoteClientSystemInfoPacket Sent by login callback every time a new user logs in ModuleKeepAlivePacket Tells the C&C server that the connection is still alive Table 2. The custom UDP packets recognized by the client |UDP packet|Description| |---|---| |RemoteModuleCommandPacket|Command to be executed by interactive shell| |RemoteModuleCommandResultPacket|Result of running shell command| |FileTransferContent_Packet|Determines whether to upload or download a file| |UploadFilePacket|Uploaded file content| |FileManage_FolderContent_Packet|Folder content| |VecProcessPacket|Vector object with running processes| |InstallModulePacket|BMP file with encrypted module to be installed| |RemoteClientSystemInfoPacket|Sent by login callback every time a new user logs in| |ModuleKeepAlivePacket|Tells the C&C server that the connection is still alive| ----- The backdoor functions implemented in the main client are: - Interactive shell - Upload file - Download file - List files - Terminate process - List processes - Install module - Login callback - Enumerate RDP sessions The communication protocol via UDP uses the same RC4 encryption. One sent and/or received packet contains a 16-byte RC4 key and the length of an RC4 encrypted payload, followed by another packet with the encrypted payload itself. ###### oRAT We also saw Windows and macOS samples of the oRAT malware in our investigation. This was the first time that we had come across this malware family written in the Go language. We found two oRAT droppers in our investigation: a DMG (disk image) file and a fake chat app built using the Electron JS framework. We discuss the former in the “MacOS Platform” subsection and the latter in the “Infection Vectors” subsection of this report. The oRAT samples for both Windows and macOS are flagged as version 0.5.1 and have the same features and configurations. The configuration file and the AES (Advanced Encryption Standard) decryption key are appended in an encrypted form to the PE (Portable Executable) file overlay. Figure 7. The decrypted oRAT configuration ----- After decrypting the configuration using the AES-GCM (AES with Galois/Counter Mode) algorithm, the malware parses it and enables the gateway or traffic forwarder mode if it is specified in the configuration settings. Then, it starts local servers on the infected machine, listening on ports that have been specified in the configuration settings for control commands. This means that the malware operator can directly connect to the infected machine and execute commands via GET or POST requests. The network communications can be in plain text or encrypted, depending on the configuration of the file: - “tcp” for plain text - “stcp” for encrypted TCP (Transmission Control Protocol) communications using the golang-tls library[7] - “sudp” for encrypted UDP traffic using the Quic-go library[8] The malware implements the control server by registering routes.[9] This simple mechanism leads to translating GET/POST requests directly to internal Go commands. Requesting a URL therefore results in executing the corresponding code on an infected system. We obtained oRAT samples that register these routes: - GET /agent/info - GET /agent/ping - POST /agent/upload - GET /agent/download - GET /agent/screenshot - GET /agent/zip - GET /agent/unzip - GET /agent/kill-self - GET /agent/portscan - GET /agent/proxy - GET /agent/ssh - GET /agent/net ----- ###### PuppetDownloader (C++ Downloader) We found samples of a C++ downloader being delivered through fraudulent websites that distribute fake Adobe Flash Player updates. We describe it in detail in the “Infection Vectors” subsection of this report. We have dubbed this downloader PuppetDownloader since we believe that it is closely linked to the PuppetLoader malware described in a previous subsection of this report. PuppetDownloader’s infection starts with an executable written in C++ that connects through a Winsock API to a domain or IP address in a specific port. It then saves the downloaded content as SMTemp.dat. Then, using the executable’s file name and a hard-coded XOR key, it decrypts a file named Loader.dll and copies it to the disk. If the executable is renamed, as online sandboxes would do, the DLL decryption fails and the malware’s second stage does not load. The Loader.dll file executes the SMTemp.dat file, if it exists. The loader then decrypts and executes a legitimate Adobe Flash Player installer in order to deceive the victim into thinking that the executable is a legitimate installer. It should be noted that in all the PuppetDownloader samples that we found during our investigation, the server hosting the second-stage malware payload was offline. It is also interesting to note that the string decryption routine of this malware is a simple XOR with the string “2020-05-24 13:00:29” as its key. The first 13 bytes of the password that is used to decode the string are the same as the last 13 bytes. Figure 8. The XOR decryption routine with a hard-coded string ----- We believe that PuppetDownloader is connected to PuppetLoader on the basis of these observations: - PuppetDownloader and PuppetLoader both use the same string decryption routine that uses the same key. - PuppetDownloader and PuppetLoader both use the same XOR key (2726c6aea9970bb95211304705b5f595) that is used to decrypt the embedded Loader.dll file. - PuppetDownloader and PuppetLoader’s decrypted Loader.dll files share similar strings such as “[-] UnExist pwszModuleFunName:”. This suggests that a common framework was used to compile both DLLs. ###### MFC Socket Downloaders We also found downloaders dropped by WinRAR self-extracting (SFX) files and written using the Microsoft Foundation Class Library (MFC) framework. These MFC socket downloaders feature an identical structure: One function creates a socket, connects to a domain or IP address, sends a short string, and then calls “recv” twice. They redirect the code flow through a call to EnumDesktopsA or EnumWindows, whose callback function pointers point to the downloaded content. The downloaders attempt to access ports 8080, 8885, and 29527, and send the strings “feiji”, “@5436”, and “fhfgj@jfggdsg” to the sockets. We found multiple samples of the same malware family that have the same structure and send the same strings to the sockets. However, it is possible that multiple malicious actor groups might be covertly sharing the source code for this malware. This means that these malware samples could be completely unrelated to Earth Berberoka. Because of this, we chose not to include those samples in our compilation of indicators of compromise (IOCs) for Earth Berberoka’s campaign.[10] When we limited our analysis to the samples that shared Earth Berberoka’s infrastructure, we discovered that we could not download the second stage of the infection chain. The multiple C&C servers we tested did not return any content possibly because the remote IP addresses and ports were shut down or because they were filtered. In the case of one MFC socket downloader sample, the remote IP address and port returned an assembly code and a .NET executable. The expected string was “@5436”, but we noticed that any string containing “@” would return the malware’s second stage. Because we were not certain whether the related sample belonged to Earth Berberoka, we decided not to detail the next stage and related pivoting in this report. ###### PlugX PlugX[11] is a remote access tool (RAT) that has been used by malicious actors in espionage campaigns for more than 10 years. In our investigation, we found multiple samples of the malware targeting both 32-bit and 64-bit architectures. ----- While the features of this malware have been extensively discussed, it seems that it is still being actively developed. It has been pointed out that PlugX sends a DWORD, which is a 32-bit unsigned integer, in the HELLO packet. A compromised system then sends the HELLO packet, which looks like a date in the “yyyymmdd” format, to the C&C server.[12] In the multiple samples that we analyzed, we found the DWORDs “20190520”, “20201106”, and “20210804”, suggesting that the versions we found were developed within the last three years. All of the samples we found are loaded in the same way: A legitimate and signed file that is vulnerable to DLL sideloading is placed alongside a malicious DLL, which decrypts and loads the third file containing the final payload. One of these malicious DLL files has the PDB (program database) path C:\Users\Administrator\Desktop\ Plug7.0(Logger)\logexts\x64\Release\logexts.pdb. A certificate from the company Gravity signs this same file. We discuss Gravity in the “Attribution” section of this report. ###### Gh0st RAT Like PlugX, Gh0st RAT[13] has been around for more than 10 years.[14] This malware family’s source code is public, which is why it has many variants. During our investigation, we found at least three different variants of Gh0st RAT being used in Earth Berberoka’s campaign. One of them had an interesting destructive feature: It replaces the master boot record (MBR) to display an explicit message (“I am virus ! F*ck you :-)”). This particular message was also seen in a public report from a victim of this Gh0st RAT variant.[15] A 2017 Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) report also discussed how Gh0st RAT variants wiped the MBR and replaced it with messages that varied across different samples.[16] ###### Other Known Malware Families By pivoting on domain names, we found other known malware families that Earth Berberoka had used in some of its targeted attacks: - AsyncRAT – an open-source RAT that can be used to remotely monitor and control devices via an encrypted connection - Quasar RAT – a Windows-based open-source RAT that has been used by APT groups for network exploitation - Trochilus – a stealthy RAT that can evade sandbox analysis and can be used in cyberespionage campaigns ----- ###### Linux Platform Xnote We found multiple samples of Xnote, a backdoor that targets the Linux platform.[17] Although this malware had been in the wild for at least six years, we did not find any report of its being used by advanced threat actors or in relation to espionage. What we found was a 2019 report that states how cybercriminals used Xnote to attack web servers to insert content that promoted gambling websites.[18] Dr.Web attributes the development of Xnote to the ChinaZ group,[19] a threat actor group known for using Linux botnets in its DDoS attacks. This malware has typical backdoor capabilities such as uploading and downloading files, executing arbitrary commands, and giving access to a shell. It can also be used to start a SOCKS (Socket Secure) proxy and a portmap server. Interestingly, one of the Xnote samples we found is linked to a domain name that we encountered during our Operation DRBControl investigation.[20] Our analysis showed that the configuration files used by this malware can be decrypted. It also has C&C domains, ports, and a field that could be some sort of campaign identifier. Among Xnote’s different configurations, we found a couple of strings that are possibly gambling-related, such as “caipiao”, which means “lottery” in Chinese, and “W88”, which could refer to a gambling website.[21] It is also worth noting that upon execution, the malware creates and blocks the file /tmp/.wq4sMLArXw. This is a typical behavior of malware families that prevents them from running in an already infected computer, similar to how a mutual exclusion object (mutex) is used in the Windows platform. ###### HelloBot HelloBot is a Linux-targeting malware family that was first detected by MalwareMustDie in early 2019.[22] During our investigation, we saw Chinese comments in the decrypted configuration files of HelloBot. We also discovered that HelloBot is cross-platform. We found multiple Linux ELF (Executable and Linkable Format) samples and one Windows PE sample of HelloBot that are connected to the Earth Berberoka campaign. Upon decrypting the configuration files, we saw that the HelloBot samples contained multiple fields. The following is an example of a decrypted configuration file in the Linux version. (The decrypted configuration file included comments in Chinese. We translated these comments to English for this report). ----- [main] ;上线域名端口 – Active domain name and port host0=linux.daj8.me:443 ;组名称 – Group name group=yeji ;安装后的文件名 注意:不能选择 tmp 目录 – File name after installation Note: tmp directory cannot be selected install_path=/usr/bin/dpkg-apts ;安装之后备份的安装文件路径 – The backup path after installation install_path_bak=/usr/bin/retatelogs ;上线间隔 5 秒重连一下 – Reconnect every 5 seconds retry_interval=5 ;域名解析使用的 DNS 注意 国内已经封锁了 8.8.8.8 – DNS used for domain name resolution Note that 8.8.8.8 has been blocked in China dns=114.114.114.114 ;伪装的进程名称 – Masquerading/fake process name fake_ps=[ksoftirqd/0] ;自启动 – Self-start/self-boot auto_start=1 ;备注 – Remark note= ;锁文件 – Lock file lock_file=/bin/sh ;插件目录 – Plugin directory plugin_dir=/usr/lib/plgs/ ;监控进程循环执行检测的时间间隔 – Monitor the time interval of process-checking loop ----- mon_interval=10 ;监控进程每次检查要执行的命令 – Monitor the command to be executed for process-checking ;cmd0=”fuser -k /tmp/.wq4sMLArXw” ;是否自动清除iptables规则 木马会自动执行 iptables -F – Whether to automatically clear iptables rules. Trojan will automatically execute the command “iptables -F” close_iptable=0 ;运行目录,启动之后会复制自身到这个目录来运行 – Running directory to where it will copy itself for running after startup tmp_start_dir=/var/tmp The following table indicates the additional fields in the Linux version. **Field** **Description** host0 C&C address install_path, install_path_bak Paths to the malicious executable retry_interval Connection to C&C server time interval (in seconds) dns DNS server IP address (114.114.114.114 is a public Chinese DNS server.[23]) fake_ps Disguised process name appearing in “ps” output auto_start Identifies whether persistence is enabled or not note Developer’s remarks plugin_dir Directory containing additional plug-ins mon_interval Execution of monitoring process time interval cmd0 Commands to be executed by the monitoring process close_iptable Automatically flushes firewall (iptables) rules if the value is 1. If the value is 0, nothing happens. tmp_start_dir Directory from which the malicious executable is launched Table 4. The additional fields in the Linux version of HelloBot The following is the decrypted Windows version of HelloBot. (The decrypted configuration file included comments in Chinese. We translated these comments to English for this report). |Field|Description| |---|---| |host0|C&C address| |install_path, install_path_bak|Paths to the malicious executable| |retry_interval|Connection to C&C server time interval (in seconds)| |dns|DNS server IP address (114.114.114.114 is a public Chinese DNS server.23)| |fake_ps|Disguised process name appearing in “ps” output| |auto_start|Identifies whether persistence is enabled or not| |note|Developer’s remarks| |plugin_dir|Directory containing additional plug-ins| |mon_interval|Execution of monitoring process time interval| |cmd0|Commands to be executed by the monitoring process| |close_iptable|Automatically flushes firewall (iptables) rules if the value is 1. If the value is 0, nothing happens.| |tmp_start_dir|Directory from which the malicious executable is launched| ----- [main] ;上线域名端口 – Active domain name and port host0=win.googie.ph:443 ;组名称 – Group name group=windows ;设置互斥,为空不设置互斥体 – Set a mutex; it will not set the mutex if it is null/empty mutex= ;自启动注册表键值 – Autostart registry key value autorun_key=ctfmon ;安装后的文件名 注意:目录必须存在 – Filename after installation. Note: The directory must exist install_path=c:\windows\system32\ctfmon3.jpg ;上线间隔 5 秒重连一下 – Reconnect every 5 seconds retry_interval=5 ;自启动 – Self-start/self-boot auto_start=1 ;备注 – Remark note= ;服务名称 – Service name svr_name=NetCrypt ;服务描述 – Service description svr_desc=Crypt data transfer on local network ;服务显示名称 – Service display name svr_display_name=Net.Crypt ;0 UDP 1 TCP 2 UDP & TCP 3 HTTP protocol=1 ----- The following table indicates the additional fields in the Windows version. **Field** **Description** mutex Name of a mutex set by the malware autorun_key Value of the registry key set for persistence svr_name Name of the service used for persistence svr_desc Description of the service used for persistence svr_display_name Display name of the service used for persistence auto_start Identifies whether persistence is enabled or not protocol Protocol used for network communication (UDP, TCP, UDP and TCP, or HTTP) Table 5. The additional fields in the Windows version of HelloBot We found the “note” values “rootkit” and “web”. We also found the following “group” values in multiple configuration files, some of which have possible China- or gambling-related meanings. **“Group”** **Note** **value** aite Could refer to the AITE Institute,[24] an international school that has headquarters in Suzhou, China idc Could refer to International Data Corporation (IDC) China[25] CG A type of lottery SF A type of lottery yabo Could refer to the Yabo gambling website[26] yeji A group value that is also present in the decrypted Xnote configuration gamebox bos xingcai jinbo qp abcb windows Table 6. “Group” values found in multiple configuration files of HelloBot |Field|Description| |---|---| |mutex|Name of a mutex set by the malware| |autorun_key|Value of the registry key set for persistence| |svr_name|Name of the service used for persistence| |svr_desc|Description of the service used for persistence| |svr_display_name|Display name of the service used for persistence| |auto_start|Identifies whether persistence is enabled or not| |protocol|Protocol used for network communication (UDP, TCP, UDP and TCP, or HTTP)| |“Group” value|Note| |---|---| |aite|Could refer to the AITE Institute,24 an international school that has headquarters in Suzhou, China| |idc|Could refer to International Data Corporation (IDC) China25| |CG|A type of lottery| |SF|A type of lottery| |yabo|Could refer to the Yabo gambling website26| |yeji|A group value that is also present in the decrypted Xnote configuration| |gamebox|| |bos|| |xingcai|| |jinbo|| |qp|| |abcb|| |windows|| ----- The developers of HelloBot used object-oriented programming, and we were able to identify several self explanatory class names during our analysis. We saw that some of the classes were not implemented, which likely means that Earth Berberoka reused the source code and implemented only select features. The following analysis is based on the Windows version of HelloBot (with the SHA-256 hash value 74d93253090f999977fa8e32b03b94bb8d35f59a8390545fd10da0f7fb1fcd13). The sample starts the C&C communication thread by processing these bot commands: - Uninstall - Restart - Update - Change_grp - Change_note - Manager_exit - Monitor_exit The Windows HelloBot sample also executes a monitor thread, which checks if the bot has not been removed from its install_path and if persistence settings are still present, and a manager thread. The manager thread receives tasks from C&C servers and processes them. **Task** **Description** CManager Performs client management operations such as CShellTask, CFileTask, CPortMapTask, and CProxyTask CFileTask Performs file operations such as move, delete, list files, upload, download, create directory, run file, and list disks CPortmapTask Port scanner CProxyTask Proxy server CShellTask Interactive shell CRdpInfectTask Not implemented CSvchostInstaler Runs HelloBot as a service CAntiAV Not implemented CKeepLiveTask Sends keepalive (heartbeat) packet every five seconds Table 7. HelloBot’s client management tasks The communication with the HelloBot C&C is done via TCP. The headers in the following figure show HTTP Host header spoofing. HelloBot spoofs HTTP Host headers to show traffic that appears as requests from legitimate sites.[27] In our investigation, we saw that HTTP headers appear to show traffic to a popular China-based search engine. |Task|Description| |---|---| |CManager|Performs client management operations such as CShellTask, CFileTask, CPortMapTask, and CProxyTask| |CFileTask|Performs file operations such as move, delete, list files, upload, download, create directory, run file, and list disks| |CPortmapTask|Port scanner| |CProxyTask|Proxy server| |CShellTask|Interactive shell| |CRdpInfectTask|Not implemented| |CSvchostInstaler|Runs HelloBot as a service| |CAntiAV|Not implemented| |CKeepLiveTask|Sends keepalive (heartbeat) packet every five seconds| ----- Figure 10. HelloBot’s HTTP Host header spoofing Aside from the fake headers, we also saw zlib-compressed data that contains infected machine information. Keepalive (heartbeat) packets follow a similar format: the packet length (0x11), the payload length (0x01), and the zlib compression level (78 9c), which is the default zlib compression level.[28] The keepalive packet decompresses to just one character, the letter “e”. We found over a hundred old HelloBot samples, some of which we could cluster based on their infrastructure. One cluster caught our eye because the decrypted configuration files contained in the samples mentioned several Chinese news websites, suggesting that they could be or were potential targets. We no longer included the details in this report because the samples are not connected to Earth Berberoka. ###### Connection to Xnote We noticed an interesting command in some configurations of the HelloBot samples that we analyzed: fuser -k /tmp/.wq4sMLArXw This command kills every process accessing the /tmp/.wq4sMLArXw file. As discussed in the “Xnote” subsection of this report, Xnote creates the /tmp/.wq4sMLArXw file to avoid running on an already infected computer. This means that the HelloBot process would kill the Xnote process. We can only hypothesize about the logic behind this behavior. It is possible that it is meant to kill off malware competitors, similar to what happened between the SpyEye and ZeuS botnet malware over a decade ago.[29] Another possibility could be that HelloBot is a newer version of Xnote. ----- ###### Pupy RAT Pupy is a cross-platform RAT written in Python whose code is available on GitHub.[30] We found some Linux samples of Pupy linked to domain names owned by Earth Berberoka. One of these was hidden by the Reptile rootkit, which we discuss in the succeeding subsection. In typical deployments of Pupy, its malicious ELF file is copied and run from /usr/bin/atd. In the case of Earth Berberoka, the configuration was customized: The malicious process is displayed as “[kworker/2:0]” in the process list. ###### Reptile Rootkit Reptile[31] is an open-source rootkit that uses a kernel module to hide files, directories, processes, and network connections. During our investigation, we found it being used to hide connections and processes related to a sample of the Pupy RAT. The following Bash configuration script of Reptile includes the [kworker/2:0] process name, which is the same process name that we mention in the preceding subsection on Pupy. The DEFAULT_IP address is linked to the dust[.]github[.]wiki domain name, which is a C&C server of one of the Pupy samples. Figure 11. The Reptile rootkit’s Bash configuration script The persistence is done via a kernel module launched through a udev rule copied into the /usr/lib/udev/rules.d/ directory, which has the following content. ----- Figure 12. Persistence via the udev rule The backdoor is split among different files. In our investigation, the backdoor was named k5734, but the default name is “reptile”: - k5734 – the kernel module - k5734_cmd – a userland executable that handles some specific keywords, such as “hide”, “show”, “root”, and “conn”, that send input/output controls (IOCTLs) to the kernel module - k5734_shell – a userland shell that handles other commands and IOCTLs - k5734_start – a Bash script that contains the rootkit’s configuration Our findings are consistent with the content of the default Bash installation script[32] in the code repository. During its launch, the Reptile module is first decrypted in memory through a custom rol32 routine (in our analysis, the decryption key was 0xD75581AA) and is then loaded through the kmatryoshka loader[33] (with the decryption key 0x3D8F0A02). ###### Modified System Binaries We found two slightly modified Linux binaries in the wild. The first one was lsof, a legitimate tool that can display information such as opened files or network connections in a Linux system. In our analysis, we found that Earth Berberoka added a slight modification to avoid displaying specific items such as IP addresses. The malicious lsof binary that we found modified the print_file function to skip the printing in case the current item matched a specific IP address. This was done by adding two calls to the strstr function. Figure 13. A modified lsof binary The specific IP address was linked to, among others, the domain name linux[.]daj8[.]me, which is a C&C server of some HelloBot samples that we found. ----- The second modified binary was ps, which displays current running processes. Earth Berberoka modified it to skip displaying a process if it was named [ksoftirqd/0] and also used the strstr function for that purpose. Figure 14. A modified ps binary We found the [ksoftirqd/0] process name in multiple HelloBot configurations. By combining these modified Linux system binary findings, we found multiple HelloBot samples that matched. The following is an excerpt of a HelloBot configuration file that contains the process name that is hidden by the modified ps binary. The HelloBot configuration file also contains the domain name that is related to the IP address hidden by the modified Isof binary. Figure 15. A HelloBot configuration that contains the domain name hidden by the modified ps binary and the domain name that is related to the IP address hidden by the modified Isof binary ###### MacOS Platform We found two malicious macOS binaries related to Earth Berberoka: a DMG file and a fake chat app. ###### DMG File We found the first malicious macOS binary on VirusTotal, a DMG file named “bitget-0.0.7 (1).dmg.” It contained an XAR (extensible archive) file named “Bitget Apps.pkg.” After extracting the XAR archive, we noticed that the PackageInfo file referenced “preinstall” scripts. Figure 16. The PackageInfo file referencing “preinstall” scripts ----- We also observed a “Scripts” gzip (GNU zip) file in the “Flash_Player.pkg/preinstall” directory, which contained certain Bash commands. Figure 17. A Bash command from the “Flash_Player.pkg/preinstall” directory That URL leads to the sample ee07dfd6443af8f20f5f11effb9cbcec07e125697a28aee78718caeed17f1407, which is a UPX x64 Mach-O executable. After we unpacked the executable, we noticed that it was the same oRAT malware version that we discuss in the subsection on the Windows platform of this report. ###### Fake Chat App We also found a malicious website delivering Windows and macOS files for a chat app named MiMi. When a user selects the “Mac” app option from the website’s menu, a file named mmchat-1.1.6.3.dmg is downloaded. We discuss this website and the mmchat-1.1.6.3.dmg file content further in the “Infection Vectors” subsection of this report. After analyzing the Info.plist of the MiMi chat app, we observed the following: - NSTemporaryExceptionAllowsInsecureHTTPLoads is enabled, which allows the malicious app to connect to HTTP websites. - NSCameraUsageDescription is set to “用于进行视频通话”, which states that camera permission is requested by the app for supposed video calls. - NSMicrophoneUsageDescription is set to “用于进行语音通话”, which states that microphone permission is requested by the app for supposed voice calls. The final payload is a macOS version of the oRAT malware. ###### Infrastructure This report discusses a number of malware families used in targeting three different platforms. These malware families are all linked by their infrastructure, and this was how we were able to connect them all to the same threat actor group, Earth Berberoka. As previously mentioned, although we found some samples that could be related to Earth Berberoka based on their respective codes, we chose not to list them here to avoid the risk of linking different groups that might only be using the same source codes or builders. During our investigation, we saw that some domain names were connected to multiple malware families. Usually, each malware family would point to a different domain name. For example, we found multiple “linux.*” subdomains linked to Linux malware families. ----- We noticed one case where the root domain, github.wiki, hosted a copy of GitHub’s documentation while multiple subdomains were listed as C&C servers of multiple malware families. This was likely done to increase the chances of the whole domain’s being allowlisted or misclassified during threat investigations. Figure 18. A copy of GitHub’s documentation hosted on a root domain ###### Infection Vectors We found different infection vectors that were used in the delivery of some of the malware families that we linked to Earth Berberoka. ###### Backdoored ‘Secure’ Chat App It seems somewhat common for apps to use some variation of “MiMi” as part of their names. It is unclear whether there is any relationship between any other apps that use this name and the app discussed in this report, such as an attempt to confuse potential users about the identity or origin of the app in question. Based on our analysis, the app that this report is concerned with is one that connects to the mmchat.online domain to make the chat features work and contains embedded malware. And although the app loads malicious code, it should be noted that we did not analyze the app itself as it seemed to be a legitimately functioning chat app. We found a website written in Chinese offering a so-called secure chat platform named MiMi. In Chinese, “mì mì (密密)” means “secret,” ergo “secret chat application.” The website links to an installer for both Windows and macOS. If the width of a web browser was lower than 720 pixels, the mobile version of the website was displayed. However, based on our experience, the Android and iOS links were empty or did not contain any values. We are unsure if the website’s template was not properly customized at the time of our investigation or if the malicious actors behind the website had planned to target those platforms in the future. ----- Figure 19. The MiMi chat website as displayed on a screen with a width higher than 720 pixels Figure 20. The MiMi chat website as displayed on a screen with a width lower than 720 pixels (mobile version) ----- We could not find any public source for MiMi, so we do not know if the malicious actors behind the chat app wrote it from scratch or if it impersonates a private platform that is relevant to its targets. It is common for gambling companies in China to use custom chat apps to avoid being spied on by the government. A “private” chat app like this could be an attractive lure as users would think that it would not be monitored by the government, unlike popular chat apps such as WeChat. Installation begins once the MiMi app executable is launched. Meanwhile, another executable with malware is also downloaded and runs in the background. After the MiMi chat app has been successfully downloaded, the app’s chat user interface appears. Figure 21. Installation of the MiMi chat app, which begins immediately after the MiMi chat app executable is launched Figure 22. The launched MiMi chat user interface, shown while another executable with malware is running in the background Both the executable’s icon and the image displayed next to the login prompt were taken from public sources.[34] ----- Figure 23. The MiMi chat app registration screen, with the mobile number registration field featuring a drop-down menu with mostly Asian phone number prefixes MiMi prompts new users to register with either a phone number or an email address. The choices of countries that the app supports are limited to the US, Canada, and Asian countries, based on the phone number prefixes available in the drop-down menu: - +1: USA - +1: Canada - +63: Philippines - +65: Singapore - +66: Thailand - +81: Japan - +82: South Korea - +852: Hong Kong - +853: Macao - +86: China - +886: Taiwan This reinforces our belief that gambling websites catering to Asian countries are the primary targets of Earth Berberoka. ----- The MiMi chat app is written using Electron JS, a JavaScript framework using the Node.js runtime software stack. In the Resources/app/package.json file, the “private” item is set to “True”, which means that the package is not intended for publication. Also, the “main” item points to the ./electron-main.js file, which contains some lines that are processed after Electron has finished initializing.[35] In the macOS version of the MiMi chat app, two different executables are referenced: - ./mimi.app/Contents/Resources/app/statics/deps/windowsx64 - ./mimi.app/Contents/Resources/app/statics/deps/darwinx64 They are both samples of the oRAT malware that we discuss in a previous subsection of this report. They are of the same malware variant — one is compiled in the PE format while the other is compiled as a Mach-O executable — and both can be found in the mimi.app/Contents/Resources/app/statics/deps folder after decompression of the DMG file. Ironically, the Windows executable will never be launched since a DMG file will never run on the Windows platform. Figure 24. An excerpt of the macOS version of electron-main.js (beautified) On the Windows platform, the electron-main.js file references a file named USOPrivate. Figure 25. An excerpt of the Windows version of electro-main.js (beautified) ----- The resources/app/statics/deps folder contains three files: - resources/app/statics/deps/USOPrivate.exe - resources/app/statics/deps/log.dll - resources/app/statics/deps/USOPrivate.dat The USOPrivate.exe file is a legitimate file signed by Bitdefender and is vulnerable to DLL sideloading. By exploiting an untrusted search path vulnerability (CVE-2019-17100),[36] the malicious log.dll file is loaded, which in turn loads the USOPrivate.dat file in memory and executes the code inside it. After being unpacked in memory, the resulting sample is a recent 64-bit version of the PlugX malware. Loads (if Windows) PlugX malware Visits Delivers |Col1|Col2|Delivers| |---|---|---| |||| Target Chat app’s website Electron JS chat app Loads (if macOS) oRAT malware Figure 26. Earth Berberoka’s infection chain via the MiMi chat app’s website ###### Fake BitGet App In our investigation, we also saw that Earth Berberoka had created a fake BitGet app for macOS. BitGet is a Singapore-based cryptocurrency exchange app. The preinstall script of the fake BitGet app downloads and executes the oRAT malware. Figure 27. The preinstall script of the fake BitGet app ###### Fake Website Delivering Backdoored Adobe Flash Player Installer We noticed that Earth Berberoka exploited a persistent cross-site scripting (XSS) vulnerability in a legitimate website to execute JavaScript code hosted in a third-party server. The injected code calls a PHP script named xss.php, verifies that the victim is running Windows, and sets a cookie to ensure the code will not be executed more than once. Then, it displays a pop-up with a message in Chinese stating that the version of Adobe Flash Player is too old to display the content and redirects the victim to a website offering Adobe Flash Player. ----- Figure 28. An XSS attack pop-up message on a legitimate website We found multiple websites that promise victims a free version of Adobe Flash Player but in fact tricks them into downloading malware. While this technique is not new, we thought that the lure would not be as appealing to users since Adobe has not supported Flash Player since Dec. 31, 2020, and all major browsers have disabled Flash plug-ins. However, we discovered that Adobe officially allows a third-party editor to deliver a version of Flash Player in mainland China through the flash.cn website. Loads JS code Visits and PHP script Legitimate website XSS platform Redirects Target C&C or download server Falls for Delivers Connects to lure Fake Adobe Malware Flash Player website Figure 29. Earth Berberoka’s infection chain via a fake website offering a backdoored Adobe Flash Player installer This malicious website is also written in Chinese, which is consistent with the other fake websites related to Earth Berberoka’s campaign. This suggests that Earth Berberoka primarily targets Chinese-speaking individuals. |Col1|Loads JS code| |---|---| ||Loads JS code and PHP script| ||| ||| |Col1|Col2| |---|---| ||| ||| ||Delivers| ----- Figure 30. A Fake Chinese Adobe Flash Player website All of the Earth Berberoka–related websites that we analyzed looked identical and delivered different payloads throughout 2021. During our investigation of the third-party server hosting the injected JavaScript code and xss.php script, we noticed that it also hosted an authentication page titled “Xss平台”, which means “Xss platform.” Figure 31. An XSS platform authentication page The message at the bottom of the page is a disclaimer explaining that it is a private access platform and that there are free XSS platforms available on the internet. Upon checking the HTML source code of this authentication page, we noticed a comment advising to compare the hash of a file named “XSS平台源 码.rar” (“XSS platform source code”) with the hash stored in a now-closed Chinese forum. This comment suggests that the source code for the XSS platform was downloaded from that forum. Our assumption is that this platform allows malicious actors to automatically search for XSS vulnerabilities in remote websites and inject code of their choice. The invoked xss.php script is probably meant to collect statistics on or keep track of victims. Based on our telemetry, we saw that two websites were exploited. One is a news website aimed at the Chinese community of a large US city, while the second is an unknown website that was offline and had no domain name at the time of our investigation. ----- ## Attribution C&C domain shopingchina.net Operation Domain name Winnti Connecting DRBControl (passive DNS) (Casper/Lead) the dots Xnote ChinaZ Operation Iron Tiger Signing certificate PZCHao from Gravity Figure 32. Potential links between different threat actor groups One of the DLLs used in one of the 64-bit PlugX samples that we found was signed with a stolen certificate from the Gravity company. QuoIntelligence believes that Gravity might be one of the gaming companies targeted by the Winnti group.[37] If this proves to be true, Earth Berberoka could be linked to the Winnti group, based on ESET’s description of the Winnti group in its paper.[38] One of the Xnote samples we found had linux[.]shopingchina[.]net as its C&C domain. We previously saw the shopingchina[.]net domain during our investigation of Operation DRBControl. We linked the shopingchina[.]net domain to the following malware families: - A Type 1 sample with test66[.]shopingchina[.]net as its C&C domain - Trochilus samples with fn[.]shopingchina[.]net as their C&C domain - MFC keyloggers with jqb[.]shopingchina[.]net as their C&C domain We have yet to see the Type 1 malware family, which is a backdoor written in C++ that uses Dropbox as a secondary C&C channel, being used by other threat actors. However, this does not mean it could not be a shared tool. ----- There are two potential connections between Earth Berberoka and Iron Tiger. It should be noted, though, that the possibility of these groups’ being connected is slim. In Operation DRBControl, the HyperBro malware family was used, and we have come to associate it with the Iron Tiger group. According to Dr.Web, Xnote was developed by the ChinaZ group.[39] And because of a shared Gh0st RAT RC4 decryption key, a report by Intezer mentions some links between ChinaZ and Operation PZChao,[40] which Bitdefender also believes to be linked to Iron Tiger.[41] Operation DRBControl also has some links to the Winnti group, according to a report by ClearSky Cyber Security that features Operation DRBControl’s infrastructure and samples.[42] More specifically, BlackBerry attributes the related domain names to the Casper APT group (aka Lead).[43, 44] Because these links are extremely complicated and do not provide evidence for strict attribution, we decided to name the threat actors behind this operation. One of our goals for publishing our findings is to help other researchers in making their own assessments. Regarding Earth Berberoka’s origin, several clues point toward Chinese-speaking threat actors, although none of them are high-confidence: - The encrypted configuration of some HelloBot samples contain comments or words in Chinese. - Some of the malware families, such as PlugX and Gh0st RAT, are known to be of Chinese origin. - A probable malware control panel we found in a domain related to this group has a login prompt in Chinese. Figure 33. A probable malware control panel in Chinese ----- ## Conclusion This investigation shows that the threat actor group behind this operation has a lot of manpower, on account of the large infrastructure and the various tools it has developed and used. Based on our telemetry and other hints we discuss in this report, we were able to assess that the group primarily targets the gambling industry catering to Asia, more specifically Chinese-speaking users and operators of gambling websites. Earth Berberoka uses a plethora of tools. Some of these are malware families that have existed for more than 10 years and that the group has enhanced, while others are malware families that it seemingly built specifically for this campaign. It is also interesting to see Earth Berberoka’s use of portable frameworks and languages such as Electron JS and Golang to target multiple platforms. We also found that some Linux malware families that were believed to have been used for cybercrime could also be used for espionage. Earth Berberoka did not hesitate to use open-source malware families such as the Pupy RAT and the Reptile rootkit for this purpose. Finally, this investigation shows the difficulty in attributing such an infrastructure when the threat actors behind it use tools that are shared among multiple groups.[45] ----- ##### References 1 S. Lock. (March 10, 2022). Statista. “Market size of the online gambling industry worldwide from 2019 to 2023.” Last accessed [on April 11, 2022, at https://www.statista.com/statistics/270728/market-volume-of-online-gaming-worldwide/.](https://www.statista.com/statistics/270728/market-volume-of-online-gaming-worldwide/) 2 University of Bristol. (May 17, 2021). ScienceDaily. “Study shows online gambling soared during lockdown, especially among [regular gamblers.” Accessed on April 11, 2022, at https://www.sciencedaily.com/releases/2021/05/210517083636.htm.](https://www.sciencedaily.com/releases/2021/05/210517083636.htm) 3 Trend Micro Research. (Feb. 18, 2020). Trend Micro Security News. “Operation DRBControl: Uncovering a Cyberespionage [Campaign Targeting Gambling Companies in Southeast Asia.” Accessed on April 1, 2022, at https://www.trendmicro.com/](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia) [vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia) [companies-in-southeast-asia.](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia) 4 Ionut Ilascu. (March 31, 2021). Bleeping Computer. “800Gbps DDoS extortion attack hits gambling company.” Accessed [on April 11, 2022, at https://www.bleepingcomputer.com/news/security/800gbps-ddos-extortion-attack-hits-gambling-](https://www.bleepingcomputer.com/news/security/800gbps-ddos-extortion-attack-hits-gambling-company/) [company/.](https://www.bleepingcomputer.com/news/security/800gbps-ddos-extortion-attack-hits-gambling-company/) 5 [Nick Carr (@ItsReallyNick). (May 15, 2020). Twitter. Accessed on April 18, 2022, at https://twitter.com/ItsReallyNick/](https://twitter.com/ItsReallyNick/status/1261318098092724226) [status/1261318098092724226.](https://twitter.com/ItsReallyNick/status/1261318098092724226) 6 [Microsoft. (Oct. 7, 2021). Microsoft. “PEB_LDR_DATA structure (winternl.h).” Accessed on April 1, 2022, at https://docs.](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data) [microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data.](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data) 7 [Denis Denisov. (Nov. 21, 2020). GitHub. “go-lang tls.” Accessed on April 4, 2022, at https://github.com/denji/golang-tls.](https://github.com/denji/golang-tls) 8 [Lucas Clemente. (March 22, 2022). GitHub. “quic-go.” Accessed on April 4, 2022, at https://github.com/lucas-clemente/quic-](https://github.com/lucas-clemente/quic-go) [go.](https://github.com/lucas-clemente/quic-go) 9 Develop Paper. (Dec. 12, 2020). Develop Paper. “Understanding the implementation of HTTP server in golang.” Accessed on [April 4, 2022, at https://developpaper.com/understanding-the-implementation-of-http-server-in-golang/.](https://developpaper.com/understanding-the-implementation-of-http-server-in-golang/) 10 Daniel Lunghi and Jaromir Horejsi. (April 27, 2022). Trend Micro Research, News, and Perspectives. “New APT Group Earth [Berberoka Targets Gambling Websites With Old and New Malware.” Accessed on May 6, 2022, at https://www.trendmicro.](https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html) [com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html.](https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html) 11 Trend Micro. (Sept. 17, 2012). Trend Micro Research, News, and Perspectives. “Unplugging PlugX Capabilities.” Accessed on [April 5, 2022, at https://www.trendmicro.com/en_us/research/12/i/unplugging-plugx-capabilities.html.](https://www.trendmicro.com/en_us/research/12/i/unplugging-plugx-capabilities.html) [12 Fabien Perigaud. (June 1, 2014). Airbus Cybersecurity. “PlugX: some uncovered points.” Accessed on April 5, 2022, at https://](https://airbus-cyber-security.com/plugx-some-uncovered-points/) [airbus-cyber-security.com/plugx-some-uncovered-points/.](https://airbus-cyber-security.com/plugx-some-uncovered-points/) [13 MITRE ATT&CK. (April 23, 2021). MITRE ATT&CK. “gh0st RAT.” Accessed on April 6, 2022, at https://attack.mitre.org/](https://attack.mitre.org/software/S0032/) [software/S0032/.](https://attack.mitre.org/software/S0032/) [14 Trend Micro. (Sept. 21, 2012). Trend Micro Threat Encyclopedia. “GHOSTRAT.” Accessed on April 6, 2022, at https://www.](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ghostrat) [trendmicro.com/vinfo/us/threat-encyclopedia/malware/ghostrat.](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ghostrat) 15 ThaiHostTalk. (n.d.). ThaiHostTalk. “I am virus! Fuck You slight_smile คัยเคยเจออาการนี้�มั่�งคับ ขอคำ�ปรึกษาหน่อย.” Accessed on [April 6, 2022, at https://d.thaihosttalk.com/t/i-am-virus-fuck-you/34081.](https://d.thaihosttalk.com/t/i-am-virus-fuck-you/34081) 16 National Cybersecurity and Communications Integration Center. (March 2017). ICS-CERT. “Destructive Malware.” Accessed [on April 6, 2022, at https://www.cisa.gov/uscert/sites/default/files/documents/Destructive_Malware_White_Paper_S508C.pdf.](https://www.cisa.gov/uscert/sites/default/files/documents/Destructive_Malware_White_Paper_S508C.pdf) [17 Dr.Web. (May 12, 2015). Dr.Web. “Linux.BackDoor.Xnote.1.” Accessed on April 6, 2022, at https://vms.drweb.com/](https://vms.drweb.com/virus/?i=4372602&lng=en) [virus/?i=4372602&lng=en.](https://vms.drweb.com/virus/?i=4372602&lng=en) 18 Weibu Intelligence Bureau. (April 16, 2019). Snowflake News. “Analysis Report of XJ Gang of Gaming Black Production | [Weibu Online Report.” Accessed on May 6, 2022, at https://www.xuehua.tw/a/5ec83986e3f5c17164172a23.](https://www.xuehua.tw/a/5ec83986e3f5c17164172a23) [19 Dr.Web. (Feb. 5, 2015). Dr.Web. “New Linux backdoor carries extensive payload.” Accessed on May 6, 2022, at https://news.](https://news.drweb.com/show/?i=9272) [drweb.com/show/?i=9272.](https://news.drweb.com/show/?i=9272) 20 Trend Micro Research. (Feb. 18, 2020). Trend Micro Security News. “Operation DRBControl: Uncovering a Cyberespionage [Campaign Targeting Gambling Companies in Southeast Asia.” Accessed on April 6, 2022, at https://www.trendmicro.com/](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia) [vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia) [companies-in-southeast-asia.](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia) ----- [21 w88you. (n.d.). w88you. “W88 Malaysia.” Accessed on April 6, 2022, at https://www.w88you.com/.](https://www.w88you.com/) 22 Imgur. (Jan. 4, 2019). Imgur. “Linux / HelloBot (bot / backdoor / new china origin ELF malware).” Accessed on April 6, 2022, at [https://imgur.com/a/lAQ1tMQ.](https://imgur.com/a/lAQ1tMQ) [23 114DNS. (n.d.). 114DNS. “114DNS.” Accessed on April 6, 2022, at https://www.114dns.com/.](https://www.114dns.com/) [24 AITE Institute. (n.d.). AITE Institute. “About us.” Accessed on April 6, 2022, at https://www.aiteinstitute.com/en/about/.](https://www.aiteinstitute.com/en/about/) [25 IDC China. (n.d.). IDC China. “IDC China.” Accessed on April 6, 2022, at https://www.idc.com/cn_eng.](https://www.idc.com/cn_eng) [26 BetVision. (n.d.). BetVision. “BetVision.” Accessed on April 19, 2022, at https://www.yabo.uk/.](https://www.yabo.uk/) 27 Virus Bulletin. (Sept. 4, 2013). Virus Bulletin. “Malware spoofing HTTP Host header to hide C&C communication.” Accessed [on April 6, 2022, at https://www.virusbulletin.com/blog/2013/09/malware-spoofing-http-host-header-hide-c-amp-c-](https://www.virusbulletin.com/blog/2013/09/malware-spoofing-http-host-header-hide-c-amp-c-communication/) [communication/.](https://www.virusbulletin.com/blog/2013/09/malware-spoofing-http-host-header-hide-c-amp-c-communication/) [28 unixman83. (Jan. 12, 2012). Stack Overflow. “What does a zlib header look like?” Accessed on May 8, 2022, at https://](https://stackoverflow.com/questions/9050260/what-does-a-zlib-header-look-like) [stackoverflow.com/questions/9050260/what-does-a-zlib-header-look-like.](https://stackoverflow.com/questions/9050260/what-does-a-zlib-header-look-like) 29 Brian Krebs. (Oct. 24, 2010). Krebs On Security. “SpyEye v. ZeuS Rivalry Ends in Quiet Merger.” Accessed on April 6, 2022, at [https://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/.](https://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/) [30 n1nj4sec. (Sep. 2, 2021). GitHub. “pupy.” Accessed on May 6, 2022, at https://github.com/n1nj4sec/pupy.](https://github.com/n1nj4sec/pupy) [31 Ighor Augusto. (June 28, 2020). GitHub. “Reptile.” Accessed on April 6, 2022, at https://github.com/f0rb1dd3n/Reptile.](https://github.com/f0rb1dd3n/Reptile) [32 Ighor Augusto. (June 28, 2020). GitHub. “Reptile.” Accessed on April 6, 2022, at https://github.com/f0rb1dd3n/Reptile.](https://github.com/f0rb1dd3n/Reptile) [33 Ilya V. Matveychikov. (Feb. 5, 2020). GitHub. “kmatryoshka.” Accessed on April 6, 2022, at https://github.com/milabs/](https://github.com/milabs/kmatryoshka) [kmatryoshka.](https://github.com/milabs/kmatryoshka) [34 Helena Zhang. (n.d.). Icon Bolt. “Chat teardrop dots icon.” Accessed on May 6, 2022, at https://www.iconbolt.com/iconsets/](https://www.iconbolt.com/iconsets/phosphor-regular/chat-teardrop-dots) [phosphor-regular/chat-teardrop-dots.](https://www.iconbolt.com/iconsets/phosphor-regular/chat-teardrop-dots) [35 Electron. (n.d.). Electron. “app.” Accessed on May 6, 2022, at https://www.electronjs.org/docs/v14-x-y/api/app#event-ready.](https://www.electronjs.org/docs/v14-x-y/api/app#event-ready) 36 Bitdefender. (Dec. 19, 2019). Bitdefender. “Untrusted Search Path vulnerability in Bitdefender Total Security 2020 (VA-5895).” [Accessed on May 8, 2022, at https://www.bitdefender.com/support/security-advisories/untrusted-search-path-vulnerability-](https://www.bitdefender.com/support/security-advisories/untrusted-search-path-vulnerability-bitdefender-total-security-2020-va-5895/) [bitdefender-total-security-2020-va-5895/.](https://www.bitdefender.com/support/security-advisories/untrusted-search-path-vulnerability-bitdefender-total-security-2020-va-5895/) 37 QuoIntelligence. (April 20, 2020). QuoIntelligence. “WINNTI GROUP: Insights From the Past.” Accessed on May 6, 2022, at [https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/.](https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/) 38 Marc-Etienne Léveillé and Mathieu Tartare. (Oct. 2019). ESET Research White Papers. “CONNECTING THE DOTS: Exposing [the arsenal and methods of the Winnti Group.” Accessed on April 10, 2022, at https://www.welivesecurity.com/wp-content/](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf) [uploads/2019/10/ESET_Winnti.pdf.](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf) [39 Dr.Web. (May 12, 2015). Dr.Web. “Linux.BackDoor.Xnote.1. Accessed on April 11, 2022, at https://vms.drweb.com/](https://vms.drweb.com/virus/?i=4372602&lng=en) [virus/?i=4372602&lng=en.](https://vms.drweb.com/virus/?i=4372602&lng=en) 40 Ignacio Sanmillan. (Jan. 7, 2019). Intezer. “ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat [Actor Groups.” Accessed on April 11, 2022, at https://www.intezer.com/blog/malware-analysis/chinaz-relations/.](https://www.intezer.com/blog/malware-analysis/chinaz-relations/) 41 Ivona Alexandra Chili. (Feb. 2, 2018). Bitdefender. “Operation PZChao: a possible return of the Iron Tiger APT.” Accessed on [April 11, 2022, at https://www.bitdefender.com/blog/labs/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/.](https://www.bitdefender.com/blog/labs/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/) 42 ClearSky Research Team. (July 18, 2017). ClearSky Cyber Security. “Recent Winnti Infrastructure and Samples.” Accessed on [April 11, 2022, at https://www.clearskysec.com/winnti/.](https://www.clearskysec.com/winnti/) 43 BlackBerry. (2020). BlackBerry. “Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and [Android.” Accessed on April 11, 2022, at https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/](https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf) [direct/report-bb-decade-of-the-rats.pdf.](https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf) 44 Microsoft Defender Security Research Team. (Jan. 25, 2017). Microsoft Security. “Detecting threat actors in recent German [industrial attacks with Windows Defender ATP.” Accessed on April 11, 2022, at https://www.microsoft.com/security/](https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/) [blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/.](https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/) 45 Daniel Lunghi and Jaromir Horejsi. (April 27, 2022). Trend Micro Research, News, and Perspectives. “New APT Group Earth [Berberoka Targets Gambling Websites With Old and New Malware.” Accessed on May 6, 2022, at https://www.trendmicro.](https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html) [com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html.](https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html) ----- -----