Home > List all groups > Operation DRBControl

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Operation DRBControl

NamesOperation DRBControl (Trend Micro)
CountryChina China
MotivationInformation theft and espionage
First seen2019
Description(Trend Micro) In the summer of 2019, Talent-Jump Technologies, Inc. contacted Trend Micro regarding a backdoor that they discovered after performing an incident response operation on a company based in the Philippines. Trend Micro provided further intelligence and context on this particular backdoor. An in-depth analysis revealed that the backdoor was being used by an advanced persistent threat (APT) actor that we dubbed “DRBControl,” as we could not find anything related to the group in our databases or public malware repositories.

Our analysis also found that the threat actor uses a number of additional backdoors and post-exploitation tools, as well as some spear-phishing documents that could have been used during the initial phase of a related campaign. One of the backdoors was of particular interest, as it used the file hosting service Dropbox as a command-and-control (C&C) channel. We shared our analysis with Dropbox, which has since been working with Trend Micro regarding the issues.

We observed that the threat actor behind this campaign had very specific targets, as it only goes after gambling and betting companies in Southeast Asia. We have been made aware that Europe and the Middle East regions are also being targeted, but we could not confirm this information at the time of writing. The exfiltrated data was mostly comprised of databases and source codes, which leads us to believe that the campaign is used for cyberespionage or gaining competitive intelligence. Some of the backdoors were unknown to us, which could suggest that it is a previously unreported group. However, we also managed to link it to some known threat actors.

Could be related to APT 41 and/or Emissary Panda, APT 27, LuckyMouse, Bronze Union.
ObservedSectors: Gambling and betting.
Countries: Philippines and Southeast Asia.
Tools usedCobalt Strike, CLAMBLING, Dropbox, EarthWorm, HyperBro, MFC Keyloggers, Mimikatz, nbtscan, NetPwdDump, NetUseEngine, PlugX, pwdump, Trochilus RAT, Winnti.

Last change to this card: 15 April 2020

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key