Security researchers have spotted a new Chinese espionage campaign targeting Asian gambling companies, which they suspect is the work of the Bronze Starlight group.
SentinelLabs revealed that the threat actors abuse Adobe Creative Cloud, Microsoft Edge and McAfee VirusScan executables vulnerable to DLL hijacking in order to deploy Cobalt Strike beacons on targeted machines.
They also make use of a stolen code signing certificate taken from Singaporean VPN vendor PMG PTE. This is a common tactic employed by Chinese APT groups, the report noted.
SentinelLabs said the “targeting, used malware and C2 infrastructure specifics” point to Bronze Starlight – a Chinese APT group focused on espionage which often uses ransomware as a distraction.
However, attribution is tricky in these cases, the vendor admitted.
“Despite the indicators observed, accurate clustering remains challenging. The Chinese APT ecosystem is plagued by extensive sharing of malware and infrastructure management processes between groups, making high confidence clustering difficult based on current visibility,” the report noted.
“Our analysis has led us to historical artifacts that represent points of convergence between Bronze Starlight and other China-based actors, which showcases the complexity of a Chinese threat ecosystem composed of closely affiliated groups.”
The malware and infrastructure used in this campaign are likely to part of the same activity cluster associated with Operation ChattyGoblin, a campaign detected by ESET in which trojanized chat apps were used to target South East Asian gambling companies.
There would seem to be a strategic reason for Chinese actors targeting this sector.
“Thriving after China’s crackdown on its Macao-based gambling industry, the South East Asian gambling sector has become a focal point for the country’s interests in the region, particularly data collection for monitoring and countering related activities in China,” SentinelLabs explained.