Skip to main content

Winnti Group Suspected for Hacking Chinese Online Gambling Companies by Using New Malware

It is pretty much uncommon for Chinese hackers to attack companies that operate on their domestic market but it seems a popular group of digital experts who gain unauthorized access to online gambling companies’ data in China by using a new type of malware.

The malicious software, which is used by the hackers and was unofficially named by CyberScoop’s Trend Micro section BIOPASS RAT, is being used against Chinese gambling operators with the so-called watering hole attack, in which hackers guess which websites are often used by their target and infect these websites to eventually see the targets get infected, too.

As it was reported by the media hub’s Trend Micro section, a large number of features were implemented by hackers to target and get unauthorized access to the private data of popular web browsers and instant messengers that are most commonly used on the territory of Mainland China.

CyberScoop’s Trend Micro further said that some digital clues left by the hackers lead to the Winnti Group. Reportedly, the Chinese hacking group’s activity overlaps with the activity of the Chinese government hackers from APT41, which is sometimes mentioned as a second name for the organization. It is known as a joint cybercrime and espionage group of hackers, who usually have their goals coinciding with the ones of the Government of Mainland China.

New Malicious Software Techniques Used during the Hacking Attack

According to reports, visitors of the Chinese gambling websites were tricked into downloading the loader of malicious software disguised as a legitimate installer of some popular applications, such as Microsoft Silverlight or Adobe Flash Player. However, instead of loading them, it loaded either a Cobalt Strike shellcode or an undocumented path written in Python, and could be described as a new type of malware.

CyberScoop’s Trend Micro section analysts also found the techniques used during the hacking attack worthy of attracting both reporters’ and investigators’ attention. The malware, unofficially called BIOPASS RAT, was found particularly interesting because it could access the victim’s screen by abusing the framework of the popular live streaming and video recording application Open Broadcaster Software Studio and then establish live streaming to a cloud service used by the hackers.

It is not unusual for the aforementioned organization to go after the gambling industry in Asia, although Winnti is better known for targeting the video game industry. What has been found the most unusual by experts this time, was the fact that the Asian gambling targets have been within the borders of China.

The country’s Government has often been blamed for turning its specialized hacking powers onto the minority Turkic ethnic group Uyghurs, which originate and are culturally linked with the general region of Central and East Asia. In a post published on his Twitter account, the German researcher Timo Steffens said that the fact that an APT41-linked group of hackers has targetted domestic users of gambling websites was quite interesting. He further noted that online gambling is currently illegal in Mainland China, which is why the Ministry of Public Security (MPS) has been tracing and arresting thousands of gamblers who have unlawfully used the services.

The new activity of the Winnti hackers triggered much interest in Germany, especially after a joint investigation regarding the group’s extensive targeting of German operators. The investigation was held in 2019 by the local news outlets NDR and BR.

 Author: Hannah Wallace

Hannah Wallace has been part of our team since the website was launched. She has a master’s degree in IT.