DiceyF: Rolling and Ruling with GamePlayerFramework Malware

What has been found?

• The attackers used PlugX installers signed by a potentially stolen digital certificate from a secure messaging client development studio.
• Their malware distribution was routed via an employee monitoring system and a security package deployment service.
• The group pushed GamePlayerFramework malware, which includes downloaders, launchers, and a set of plugins.

More about GamePlayerFramework

• Both branches are named after the characters of the FinalFantasy game series and these branches maintain new modules, incrementally modified over time.
• GamePlayerFramework uses plugins such as General Purpose Plugin, Clipboard, and Virtual Desktop. All plugins of the framework are stored filelessly.
• These plugins enable threat actors to monitor the victim’s system by providing remote access and stealing keystrokes and clipboard data.

Efforts to stay hidden

• To hide disguised implants, the attackers obtained information about targeted organizations to make it look legitimate and included this information inside graphic windows displayed to victims.
• Furthermore, they used service names, file paths, stolen digital signing certificates, and other artifacts from NVIDIA, Mango, and other legitimate software to hide their traces.

Overlap with other groups

• This set of activities and resources aligns with Operation Earth Berberoka or GamblingPuppet activity and Operation DRBControl.
• Moreover, researchers found that DiceyF APT group activities overlap with LuckyStar PlugX, a supply chain incident as well.

Conclusion