Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

More than 1000 SOHO devices hacked in China associated with cyber-science associated with cyber

June 27, 2025

Posted and Pubshell Sarsware used in Tibet’s Mustang Panda attack

June 27, 2025

The Chinese Silver Fox Group uses fake web -sats to deliver Sainbox Rat and Hidden Rortkit

June 27, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » Chinese nation-state hackers APT41 have hijacked the gambling sector for financial gain
Global Security

Chinese nation-state hackers APT41 have hijacked the gambling sector for financial gain

AdminBy AdminOctober 21, 2024No Comments4 Mins Read
Hackers Target Gambling Sector
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


Hackers are targeting the gambling sector

A prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling industry.

“For at least six months, the attackers secretly collected valuable information from the target company, including but not limited to network configurations, user passwords and LSASS process secrets,” said Ida Naor, the company’s co-founder and CEO. Israeli cyber security company Security Joes said in a statement general from The Hacker News.

“During the intrusion, the attackers continuously updated their toolset based on the security team’s response. As defenders watched, they changed their strategies and tools to evade detection and maintain constant access to the compromised network.”

The multi-stage attack, which targeted one customer and lasted nearly nine months this year, shows overlap with a set of intrusions tracked by cybersecurity vendor Sophos under the pseudonym Operation Raspberry Palace.

Cyber ​​security

Naor said the company responded to the incident four months ago, adding that “these attacks depend on government-sponsored decision-makers. This time, we suspect with high confidence that APT41 was after financial gain.”

The company is designed with stealth in mind, using a variety of tactics to achieve its goals using a special toolkit that not only bypasses the security software installed in the environment, but also collects sensitive information and establishes covert channels for constant remote access.

Security Joes described APT41 as “highly skilled and methodical,” citing its ability to carry out espionage attacks as well as supply chain poisoning, leading to intellectual property theft and financially motivated intrusions such as ransomware and cryptocurrency mining.

The exact initial access vector used in the attack is currently unknown, but evidence leans towards phishing emails given the lack of active vulnerabilities in web-facing applications or supply chain breaches.

“Once inside the target infrastructure, the attackers launched a DCSync attack to collect password hashes of service and administrator accounts to expand their access,” the company said in a report. “With these credentials, they established persistence and maintained control over the network, focusing specifically on administrator and developer accounts.”

The attackers are said to have methodically conducted reconnaissance and post-exploitation activities, often customizing their toolset in response to steps taken to counter the threat and escalate their privileges with the ultimate goal of downloading and executing additional payloads.

Some of techniques are used to realize their goals include Phantom DLL Hijacking and using the legitimate wmic.exe utility, not to mention abusing their access to work accounts with administrative rights to run the execution.

Hackers are targeting the gambling sector

The next stage is a malicious DLL file called TSVIPSrv.dll that is extracted over the SMB protocol, after which the payload establishes contact with a hard-coded Command and Control (C2) server.

“When the hard-coded C2 fails, the implant attempts to update its C2 information by scanning GitHub users using the following URL: github(.)com/search?o=desc&q=pointers&s=joined&type=Users&.”

“The malware parses HTML received from a GitHub request, looking for sequences of capitalized words separated only by spaces. It collects eight of those words, then extracts only the capital letters between A and P. This process creates an 8-character string that encodes the IP address of the new C2 server that will be used in the attack.”

The initial contact with the C2 server paves the way for the infected system to be profiled and more malware to be launched over the socket connection.

Security’s Joes said the threat actors kept quiet for several weeks after their activity was discovered, but eventually returned with an updated approach to executing highly obfuscated JavaScript code contained in a modified version of an XSL file (“texttable.xsl “) using LOLBIN wmic.exe.

Cyber ​​security

“Once the WMIC.exe MEMORYCHIP GET command is run, it indirectly loads the texttable.xsl file to format the output, forcing the execution of malicious JavaScript code injected by the attacker,” the researchers explained.

JavaScript, on the other hand, serves as a loader that uses the time.qnapntp(.)com domain as a C2 server to retrieve the following payload, which fingerprints the machine and sends the information back to the server subject to some filtering. criteria that likely serve to target only those machines of interest to the threat actor.

“What really stands out about the code is the deliberate targeting of machines with IP addresses containing the substring ‘10.20.22,’” the researchers said. “

“This highlights which specific devices are valuable to an attacker, namely devices on subnets 10.20.22(0-9).(0-255). By correlating this information with network logs and the IP addresses of the devices on which the file was detected, we concluded that the attacker used this filtering mechanism to ensure that only devices on the VPN subnet were affected.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

More than 1000 SOHO devices hacked in China associated with cyber-science associated with cyber

June 27, 2025

Posted and Pubshell Sarsware used in Tibet’s Mustang Panda attack

June 27, 2025

The Chinese Silver Fox Group uses fake web -sats to deliver Sainbox Rat and Hidden Rortkit

June 27, 2025

Business -SUCKS FOR AGENTIC AI SOC -Analytics

June 27, 2025

Transfer of person transfer is increased by threats when directed by scanning and disadvantages CVE

June 27, 2025

The malicious ONECLIK software is oriented

June 27, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

More than 1000 SOHO devices hacked in China associated with cyber-science associated with cyber

June 27, 2025

Posted and Pubshell Sarsware used in Tibet’s Mustang Panda attack

June 27, 2025

The Chinese Silver Fox Group uses fake web -sats to deliver Sainbox Rat and Hidden Rortkit

June 27, 2025

Business -SUCKS FOR AGENTIC AI SOC -Analytics

June 27, 2025

Transfer of person transfer is increased by threats when directed by scanning and disadvantages CVE

June 27, 2025

The malicious ONECLIK software is oriented

June 27, 2025

Critical Open VSX -no -register exposes millions of developers for supply chain attacks

June 26, 2025

The new FileFix method is a threat

June 26, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

More than 1000 SOHO devices hacked in China associated with cyber-science associated with cyber

June 27, 2025

Posted and Pubshell Sarsware used in Tibet’s Mustang Panda attack

June 27, 2025

The Chinese Silver Fox Group uses fake web -sats to deliver Sainbox Rat and Hidden Rortkit

June 27, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.