Suspected Chinese hackers return with unusual attacks on domestic gambling companies
It’s rare for Chinese hackers to turn their gaze inward on domestic companies. But a well-known group appears to have been targeting online gambling firms in China with new malware.
The malware, which Trend Micro dubbed BIOPASS RAT, goes after Chinese gambling companies with a watering hole attack, where hackers try to infect websites commonly used by its targets.
“Notably, a large number of features were implemented to target and steal the private data of popular web browsers and instant messengers that are primarily used in Mainland China,” Trend Micro said in a report on Friday.
Digital clues that Trend Micro identified point to the Chinese hacking outfit the Winnti Group as a culprit. Its activity overlaps with that of the Chinese government hackers known as APT41, such that it’s sometimes mentioned as a second name for the group. That’s a joint cybercrime and espionage organization of hackers whose goals usually align with that of the Chinese government.
It’s not unusual for Winnti to go after the gambling industry in Asia, although it’s better known for targeting the video game industry. What is unusual is that this time, the Asian gambling targets are within China’s borders. (The Chinese government has frequently been accused of turned its hacking powers onto minority Uyghurs.)
“Quite interesting for a APT41 (Winnti)-linked group to target domestic users of gambling sites,” German researcher Timo Steffens observed on Twitter. “Online gambling is prohibited in mainland China, enforced by the Ministry of Public Security (MPS). Last year, thousands of gamblers were arrested.”
The new Winnti activity aroused particular interest in Germany, following a joint 2019 investigation from German news outlets BR and NDR about Winnti’s extensive targeting of German companies — although a U.S. Army cyber account also highlighted the Trend Micro research.
Trend Micro found the attack’s techniques noteworthy as well.
“What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service,” the company wrote.