Go to listing page

DiceyF: Rolling and Ruling with GamePlayerFramework Malware

DiceyF: Rolling and Ruling with GamePlayerFramework Malware
Kaspersky researchers have found a mysterious set of APT activities, by a group named DiceyF, targeting online casino development and operations in Southeast Asia for the past few years.

What has been found?

DiceyF APT group has been observed modifying its codebase over time and developing functionality in the code throughout its intrusions.
  • The attackers used PlugX installers signed by a potentially stolen digital certificate from a secure messaging client development studio.
  • Their malware distribution was routed via an employee monitoring system and a security package deployment service.
  • The group pushed GamePlayerFramework malware, which includes downloaders, launchers, and a set of plugins.

More about GamePlayerFramework

GamePlayerFramework, a complete C# rewrite of the PuppetLoader C++/assembly malware, consists of two new branches namely Tifa and Yuna.
  • Both branches are named after the characters of the FinalFantasy game series and these branches maintain new modules, incrementally modified over time.
  • GamePlayerFramework uses plugins such as General Purpose Plugin, Clipboard, and Virtual Desktop. All plugins of the framework are stored filelessly.
  • These plugins enable threat actors to monitor the victim’s system by providing remote access and stealing keystrokes and clipboard data.

Efforts to stay hidden

  • To hide disguised implants, the attackers obtained information about targeted organizations to make it look legitimate and included this information inside graphic windows displayed to victims.
  • Furthermore, they used service names, file paths, stolen digital signing certificates, and other artifacts from NVIDIA, Mango, and other legitimate software to hide their traces.

Overlap with other groups

  • This set of activities and resources aligns with Operation Earth Berberoka or GamblingPuppet activity and Operation DRBControl.
  • Moreover, researchers found that DiceyF APT group activities overlap with LuckyStar PlugX, a supply chain incident as well.

Conclusion

DiceyF operators were able to perform cyber espionage activities with some level of stealth using GamePlayerFramework. Over the course of several months, DiceyF developers added more effective encryption capabilities to better hide their logging and monitoring activities. In the future, the group can increase the number of plugins and add more unusual defense evasion methods in this framework.
Cyware Publisher

Publisher

Cyware