- Join BJ's Wholesale Club for $20, and get a $20 gift card: Deal
- Delivering better business outcomes for CIOs
- Docker Desktop 4.35: Organization Access Tokens, Docker Home, Volumes Export, and Terminal in Docker Desktop | Docker
- Cybercriminals Exploit DocuSign APIs to Send Fake Invoices
- Your iPhone's next iOS 18.2 update may come earlier than usual - with these AI features
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
We dubbed these downloaders PuppetDownloaders since they are connected to the PuppetLoader malware family, as evidenced by our observations:
- This malware and PuppetLoader both use the same string decryption routine that uses the same key.
- This malware and PuppetLoader both use the same XOR key (2726c6aea9970bb95211304705b5f595) that is used to decrypt the embedded Loader.dll file.
- This malware and PuppetLoader’s decrypted Loader.dlls share similar strings such as “[-] UnExist pwszModuleFunName:”. This suggests that a common framework was used to compile both DLLs.
MFC socket downloaders
We also saw WinRAR self-extracting (SFX) files dropping downloaders written using the Microsoft Foundation Class Library (MFC) framework. These MFC socket downloaders have an identical structure: One function creates a socket, connects to a domain or IP address, sends a short string, and then calls “recv” twice.
The code flow is redirected through a call to EnumDesktopsA or EnumWindows, whose callback function pointers point to the downloaded content.
The downloaders attempt to access ports 8080, 29527, and 8885. They also send the strings “feiji”, “@5436”, and “fhfgj@jfggdsg” to the sockets. We found multiple samples of the same malware family that have the same structure and send the same strings. However, it is possible that multiple groups might be covertly sharing the source code for this malware.
PlugX
PlugX is a remote access tool (RAT) that has been used as a malicious tool for espionage for more than a decade. We found that Earth Berberoka uses PlugX to target 32-bit and 64-bit architectures based on the samples we obtained and analyzed.
This malware family has been upgraded to send a DWORD, a 32-bit unsigned integer, in the HELLO packet. A compromised system then sends the HELLO packet, which looks like a date in the yyyymmdd format, to the C&C server.
We found the following DWORDs in multiple samples we analyzed, which suggest that the versions we found were developed within the last two years: 20190520, 20201106, and 20210804.
All of the samples we found are loaded in the same way: A legitimate and signed file that is vulnerable to DLL sideloading is placed alongside a malicious DLL, which decrypts and loads the third file containing the final payload.
One of these malicious DLL files has the PDB path C:UsersAdministratorDesktopPlug7.0(Logger)logextsx64Releaselogexts.pdb.
Gh0st RAT
We also saw at least three different variants of Gh0st RAT, another malware family that has been in the wild for more than 10 years, being used in Earth Berberoka’s campaign. This malware family’s source code is public, which is why it has many variants.
One of the variants we analyzed had an interesting destructive feature: It replaces the master boot record (MBR) to display an explicit message (“I am virus ! F*ck you :-)”). This particular message was also seen in a public report from a victim of this Gh0st RAT variant. A 2017 Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) report also discussed how Gh0st RAT variants wiped the MBR and replaced it with messages that varied across different samples.
Other Known Malware Families
We also found other legitimate tools being abused by Earth Berberoka and a malware family being used by the group in its campaign:
- Quasar RAT – a Windows-based open-source RAT that has been used by APT groups for network exploitation
- AsyncRAT – an open-source RAT that can be used to remotely monitor and control devices via an encrypted connection
- Trochilus – a stealthy RAT that can evade sandbox analysis and can be used in cyberespionage campaigns
Security recommendations
Our analysis points to Earth Berberoka’s having multiple tools and a large infrastructure at its disposal to target the gambling market. To avoid falling victim to Earth Berberoka’s attacks, users and operators of gambling websites can adopt the following security recommendations:
- Properly vet emails, websites, and apps before clicking on links or downloading apps.
- Download apps only from trusted sources.
- Watch out for malicious website flags, such as errors in grammar and spelling.
- Block threats that arrive via email, such as malicious links, through hosted email security and antispam protection.
- Use a multilayered security solution that helps with detecting, scanning, and blocking malicious URLs.
The full technical details of our investigation can be found in our research paper, which we will publish soon. We list down the indicators of compromise (IOCs) for Windows, Linux, and macOS in separate text files.