The Russian cybersecurity company Kaspersky has stated that the activity of gambling puppet and DRBControl is associated with another set of intrusions that are being linked to Earth Berberoka (aka GamblingPuppet) and Earth Berberoka, citing a similar tactic and targeting as well as the creation of secure messaging clients.
As per the speculations "there may be a mix between espionage and IP theft, though their true motives remain a mystery so far," researchers Kurt Baumgartner and Georgy Kucherin wrote in a technical paper that appeared this week.
In November 2021 Kaspersky said that a PlugX loader and other payloads were detected on an employee monitoring service and a security package deployment service.
A company representative said on Friday that the attacker "was able to perform cyber espionage activities with some degree of stealth due to the initial infection method - the distribution of the framework through security solution packages."
"In addition to downloading programs, launchers, and a set of plugins used to gain remote access, the researchers also developed a new collection of keyloggers that can steal clipboard data and keystrokes from the computer."
In the following weeks, the same security package deployment service has also been used in the delivery of what is called the GamePlayerFramework, a C# variant of a C++-based malware known as PuppetLoader that was deployed.
Based on signs that have been uncovered, DiceyF appears to be a follow-on campaign to Earth Berberoka with a re-engineered malware toolset, even though the framework is maintained by two separate branches called Tifa and Yuna, which include different modules of varying sophistication.
While the Tifa branch mainly consists of a downloader and a core component, the Yuna branch is more complex in terms of functionality. It includes a downloader, a set of plugins, and a minimum of 12 PuppetLoader modules in addition to the downloader. Despite this, it is believed that both branches are actively and incrementally updated, and they are both considered active.
Regardless of the variant employed, once the GamePlayerFramework is launched, it can connect to the command-and-control system (C2) and transmit information about the compromised host, as well as the contents of the clipboard, and then the malware can seize control of the host by answering any of the fifteen commands that the C2 has provided.
As part of this process, the C2 server will also launch a plugin on the victim system. The plugin can either be downloaded from the C2 server when the framework is instantiated or retrieved by requesting the "InstallPlugin" command from the server when the framework is instantiated.
This allows the plugins to be used in conjunction with Google Chrome and Mozilla Firefox browsers to steal cookies from the browsers themselves. Also, this software is capable of capturing keystrokes and clipboard data, establishing virtual desktop sessions, and even being able to remotely log into the machine through Secure Shell.
Moreover, Kaspersky pointed out the use of a malicious app that mimicked Mango Employee Account Data Synchronizer, another piece of software that mimics employee account data synchronization. The GamePlayerFramework is dropped in the network by this messenger app which is used by the targeted entities to make their campaigns more effective.
Researchers have observed several exciting characteristics of DiceyF campaigns and TTP, according to the researchers. There is evidence that the group has modified their software over time, and has developed functionality in the code throughout their intrusions.
To ensure that victims would not become suspicious about the disguised implants, attackers gathered information about targeted organizations (like the floor where the IT department of the organization is located) and included the information in graphic windows that were displayed to victims.
