Earth Berberoka: An Analysis of a Multivector and Multiplatform APT Campaign Targeting Online Gambling Sites
Despite being illegal in some countries, global online gambling industry grows steadily year after year, flourishing during the global pandemic. This trend was not surprisingly noticed by advanced threat actors as we observed and analyzed campaigns targeting online gambling platforms.
In this research, we will focus on a multiplatform (Windows, Linux, and Mac) campaign involving known espionage tools as well as new malware families. Operated by individuals with knowledge of Chinese language, the victims of this campaign are mostly, but not limited to, online gambling customers in Southeast Asia.
We noticed some interesting infection vectors, such as exploitation of persistent cross-site scripting vulnerabilities in legitimate websites resulting in redirection to fake installers of popular applications, or a backdoored custom chat application, suggesting a very targeted campaign.
The delivered malware families are well known espionage tools such as PlugX and Gh0stRAT, or lesser known XNote and HelloBot. Some of these Linux malwares were previously reported for their cybercrime usage, but never for espionage purposes. We also found some previously unreported malware families dubbed oRAT and PuppetLoader, one of which uses images for payload storage. After carefully analyzing their unique features, we will highlight one interesting case where a flawed cipher implementation led us to the discovery of an additional malware likely implemented by the same threat actor.
As a conclusion, we will discuss the infrastructure and multiple links we found with known advanced threat actors and older investigations.
Jaromir Horejsi
Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.