Cybersecurity researchers with Kapersky’s Global Analysis Team have identified unusual malware specifically targeting online casinos based in Hong Kong and Southeast Asia.

GameplayerFrameworkThe hackers behind the GameplayerFramework appear to be more interested in surveillance than financial exploitation, according to Kapersky. (Image: Security Orb)

Known as “the GameplayerFramework,” the malware maintains continuous unauthorized access to a victim organization’s system, stealing data, but with no apparent financial motive. Kapersky classified the hackers’ activities as “cyber espionage.”

The hacking group behind the activity, dubbed “DiceyF,” has been around for several years targeting online casinos, according to Kapersky. But its latest methods are new.

Reconnaissance on Target

In the case analyzed by Kapersky, DiceyF spoofed a secure messaging app, Mango, which was used for internal messaging by the victim organization. The hackers displayed a graphical interface on the user’s machine – a fake Mango window, which the victim believed was legitimate.

The window referenced the name of the victim organization and even mentioned that its IT department was on the 10th floor, suggesting the group had conducted some form of reconnaissance on the company’s offices.

Such reconnaissance is not common for targeted malware, and I think it’s really amazing,” said Georgy Kucherin from Kapersky’s Global Analysis Team. Kucherin was speaking at last week’s Hacktivity 2022 conference in Budapest, Hungary.

His colleague, Kurt Baumgartner, added that the hacker’s focus on the online casino’s source code and databases might tell you about an interest in the movement of money and the identities of customers.

Possibly we have a mix of espionage and [intellectual property] theft. But the true motivations remain a mystery, the two researchers said in a technical write-up published this week.

Social Order

The group’s interest in money flows and customer names could indicate DiceyF is working with the backing of the in Beijing, which is against cross-border gambling and capital flight.

Most online casinos based in Southeast Asia target players on the Chinese mainland, where gambling is illegal apart from state-controlled lotteries. When the Kapersky researchers analyzed the GameplayerFramework, they found its creators had used Chinese plugin names.

In July 2019, Chinese state media said the amount gambled illegally through online sites from mainland China was more than one trillion yuan each year ($145 billion), almost twice the annual income of the national lottery. This was “causing great harm to China’s social-economic order,” the report added.

Great Firewall

China maintains a vast program of internet censorship, dubbed the “Great Firewall.” This is designed to restrict access to undesirable foreign information sources, as well as sites that host politically sensitive material, gambling, violence, or pornography.

It was reported in 2013 that the country’s “internet police” task force comprised some 2 million people. They maintain an eternal game of Whac-a-Mole with online gaming operators, who employ hundreds of related “mirror” domains that customers can access once others have been blocked.

It s logical that China’s Internet Police might be dabbling in a spot of cyberespionage against the casinos, too.