Chinese-linked hacking group using Windows backdoors to go after gambling industry targets

The group has links with Winnti or APT27.
The group is going after the gambling and betting industries in Southeast Asia. (Pixabay)

A nation-state actor that has links with Chinese hackers is exploiting two new backdoors to run a cyber-espionage campaign against gambling entities in Southeast Asia, according to Trend Micro research.

The new activity, which is also reportedly occurring in Europe and the Middle East, was first unearthed last year when cybersecurity consultancy Talent-Jump Technologies found a Microsoft Windows backdoor and contacted Trend Micro while conducting incident response for a company based in the Philippines.

Upon further investigation, it wasn’t immediately clear if the group itself, which Trend Micro has dubbed “DRBControl,” is a newcomer, according to Trend Micro researchers Daniel Lunghi, Cedric Pernet, Kenney Lu, and Jamz Yaneza.

Based on DRBControl’s techniques and malware, there are some connections with Chinese-linked APT27. That threat group is known for its targeting in the aerospace, government, defense, technology, and energy industries.


DRBControl may also be tied to Winnti group, according to Trend Micro’s analysis. Winnti is known for its efforts aimed at the gambling industry.

According to Trend Micro, the group is primarily trying to steal source code and data from gambling and betting companies.

“The exfiltrated data was mostly comprised of databases and source codes, which leads us to believe that the campaign is used for cyberespionage or gaining competitive intelligence,” researchers write.

Spearphishing and backdoors

To kickoff their campaign, the hackers used “straightforward and efficient” spearphishing emails last May to trick victims to click on malicious Microsoft Word documents. In one case, DRBControl appears to have targeted one company’s customer support team with emails suggesting the team had made an error that needed to be corrected.


When the Word files are clicked they embed either an executable file or a .bat file that assist in delivering malware. Another version Trend Micro identified uses PowerShell, an administration tool, to download the malware.

The two newly identified backdoors, both written in C++, are capable of screenshot capture; reading, writing, moving, copying, renaming, or deleting files; browsing directories; deleting registry keys; and executing commands.

One of the backdoors uses the file hosting service Dropbox as a command-and-control channel. The hackers have also been using Dropbox repositories to store backdoors, commands, post-exploitation tools, stolen files from targets, and targets’ workstation information, according to the report.

DRBControl has also been reliant on some known malware families including Cobalt Strike, PlugX, and the HyperBro backdoor.  The group has taken advantage of some post-exploitation tools, too, such as a clipboard stealer, a network traffic tunnel, a public IP address retriever, a brute-force tool, and password dumpers. Trend Micro also found DRBControl to use many simple code loaders, likely used to bypass security solutions.

Links to known Chinese hacking groups


Although the hacking group’s backdoors may be new, some of the techniques and malware the hackers are using align with already known Chinese-linked cyber-espionage groups.

DRBControl’s use of the HyperBro backdoor, for instance, may reveal that the group is linked with APT27. HyperBro “appears to be exclusive to” that group, according to Trend Micro.

The APT27 connection, for its part, is “very loose,” however, the researchers note.

The Winnti connection has three different overlaps. Two samples linked with DRBControl domain names are linked with ones previously used by Winnti. In other cases, commands issued on DRBControl-compromised machines have links with Winnti.

These overlaps could offer clues as to the DRBControl’s broader operations — Winnti is suspected to be a group of attackers that share tools and infrastructure.


“Over the years, Winnti-related activities have suggested that there are likely more than one group of attackers behind the Winnti umbrella,” the researchers note.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts