Researchers have seen an unidentified set of APT activities operated by the DiceyF threat group. The recently discovered cybercriminal operation has targeted online casino development in Southeast Asia for years.
The APT group has been monitored by researchers customising its codebase constantly and developing features in the code throughout its infiltration into online casinos.
The threat actors utilised PlugX installers signed by a previously stolen digital certificate based on reports. Moreover, the attackers gathered these certificates from a secure messaging client development studio.
The APT group’s malware dissemination was spread by its operators through an employee monitoring system and a security package deployment service. Subsequently, the group leveraged the GamePlayerFramework malware containing plugins, downloaders, and launchers.
DiceyF threat group has equipped the GamePlayerFramework malware with two branches.
The malware used by the DiceyF threat group has a complete C# rewrite of the PuppetLoader C++ that contains two new branches, Yuna and Tifa.
These branches maintain the new modules for subsequent attacks from hackers. The GamePlayerFramework utilises different plugins, such as Clipboard and Virtual Desktop, and all the framework plugins are kept by the attackers filelessly.
These plugins allow the DiceyF operators to observe the victim’s system by giving remote access and snatching keystrokes and clipboard information.
The attackers also acquire data for targeted entities to make it appear like an authentic plugin and hide their implants. Additionally, the adversaries used file paths, service names, and digital signing certificates to avoid getting traced by security analysts.
Researchers have also observed several overlaps with this new threat group to other previous operations such as the GamblingPuppet and Operation Earth Berberoka. Some researchers also discovered that the DiceyF APT gang’s activities are similar to a supply chain incident run by LuckyStar PlugX.
The DiceyF threat group was able to execute cyber espionage campaigns with a minimum stealth feature via GamePlayerFramework malware. The group has also included more encryption capabilities that improved their evasive ability and hid their tracks to stop monitoring efforts from an analyst.
Experts expect this group to increase their acquired plugins and add more defence mechanisms for their framework. Therefore, organisations and researchers should be wary of this malicious entity.
