A new campaign has been uncovered by cybersecurity researchers that targets Southeast Asian gambling operators using chatbots and customer support agents. Dubbed “ChattyGoblin,” the campaign is allegedly backed by Chinese threat groups and primarily relies on the LiveHelp and Comm100 apps, which were first observed and documented by CrowdStrike.
ESET, the cybersecurity firm that discovered the campaign, revealed that ChattyGoblin uses a sneaky new tactic to infiltrate the systems of gambling companies in the Philippines and Southeast Asia. The attackers use a C# chatbot to engage with customer service agents and extract sensitive information from them, such as login credentials and financial data.
In one particular ChattyGoblin attack, which took place in March of this year, the initial dropper deployed by the attackers was named “agentupdate_plugins.exe” and was downloaded by the LiveHelp100 chat application. The dropper then deployed a second C# executable based on the SharpUnhooker tool, which downloaded the ChattyGoblin attack’s second stage, stored in a password-protected ZIP archive.
The final payload of the attack is a Cobalt Strike beacon that uses the duckducklive[.]top domain as its command and control (C&C) server. Once the attackers establish a foothold in the target network, they can launch further attacks and exfiltrate sensitive data.
According to ESET, the ChattyGoblin campaign is still ongoing, and more attacks are expected in the coming months. Given the reliance of many Southeast Asian gambling operators on customer service agents and chatbots, the campaign is likely to be a significant threat.
While many companies invest heavily in securing their networks and endpoints from external attacks, this campaign highlights the importance of securing internal systems and training employees on how to identify and respond to social engineering attacks.
With cybercrime on the rise globally, businesses must take a proactive approach to cybersecurity, such as using multi-factor authentication, regularly backing up data, and implementing encryption. Additionally, companies must stay up-to-date on emerging threats and vulnerabilities to better prepare and protect themselves from new and evolving attack techniques.
The discovery of the ChattyGoblin campaign serves as a reminder that cybersecurity threats are always evolving, and cybercriminals are continuously finding new ways to infiltrate networks and extract sensitive data. By staying vigilant and implementing best security practices, businesses can reduce their risk of falling victim to these types of attacks.