36 | Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
References
1 Daniel Lunghi and Jaromir Horejsi. (10 June 2019). Trend Micro. “MuddyWater Resurfaces, Uses Multi-Stage Backdoor
POWERSTATS V3 and New Post-Exploitation Tools.” Last accessed on 20 January 2020 at https://blog.trendmicro.com/
trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-
tools/.
2 Feike Hacquebord. (12 January 2018). Trend Micro. “Update on Pawn Storm: New Targets and Politically Motivated
Campaigns.” Last accessed on 20 January 2020 at https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-
storm-new-targets-politically-motivated-campaigns/.
3 The MITRE Corporation. (n.d.). MITRE ATT&CK. “DLL Side-Loading.” Last accessed on 20 January 2020 at https://attack.
mitre.org/techniques/T1073/.
4 Dwight Hohnstein. (18 April 2019). SpecterOps. “Lateral Movement — SCM and DLL Hijacking Primer.” Last accessed on 20
January 2020 at https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992.
5 Clément Labro. (5 October 2018). GitHub, Inc. “Windows IKEEXT DLL Hijacking Exploit Tool.” Last accessed on 22 January
2020 at https://github.com/itm4n/Ikeext-Privesc.
6 ImmuniWeb. (8 October 2012). ImmuniWeb. “Privilege Escalation Vulnerability in Microsoft Windows.” Last accessed on 23
January 2020 at https://www.immuniweb.com/advisory/HTB23108.
7 Lawrence Abrams. (15 November 2016). Bleeping Computer. “CryptoLuck Ransomware being Malvertised via RIG-E Exploit
Kits.” Last accessed on 23 January 2020 at https://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-
malvertised-via-rig-e-exploit-kits/.
8 ThreatRecon Team. (25 July 2019). NSHC RedAlert Labs. “ The Growth of SectorF01 Group’s Cyber Espionage Activities.”
Last accessed on 23 January 2020 at https://threatrecon.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-
activities/.
9 Microsoft Corporation. (February 2015). Microsoft. “Cumulative Security Update for Internet Explorer 11 for Windows 7 for
x64-based Systems (KB3021952).” Last accessed on 20 January 2020 at https://www.microsoft.com/en-US/download/details.
aspx?id=45761.
10 Trend Micro. (16 October 2019). Trend Micro Security News. “Winnti Group Resurfaces with PortReuse Backdoor, Now
Engages in Illicit Cryptocurrency Mining.” Last accessed on 20 January 2020 at https://www.trendmicro.com/vinfo/us/security/
news/cyber-attacks/winnti-group-resurfaces-with-portreuse-backdoor-now-engages-in-illicit-cryptocurrency-mining.
11 The MITRE Corporation. (n.d.). MITRE ATT&CK. “HyperBro.” Last accessed on 20 January 2020 at https://attack.mitre.org/
software/S0398/.
12 Robert Falcone. (28 May 2019). Palo Alto Networks, Inc. “Emissary Panda Attacks Middle East Government Sharepoint
Servers.” Last accessed on 20 January 2020 at https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-
government-sharepoint-servers/.
13 Rootkiter. (3 January 2019). GitHub, Inc. “Tool for tunnel.” Last accessed on 20 January 2020 at https://github.com/rootkiter/
EarthWorm.
14 My IP. (n.d.). My IP. Last accessed on 20 January 2020 at http://myip.com.tw/.
15 MDSec Research. (7 December 2016). GitHub, Inc. “Invoke-CredHunter.ps1.” Last accessed on 20 January 2020 at https://
github.com/mdsecresearch/Publications/blob/master/tools/redteam/psh/Invoke-CredHunter.ps1.
16 SecWiki. (31 July 2017). GitHub, Inc. “CVE-2017-0213.cpp.” Last accessed on 20 January 2020 at https://github.com/SecWiki/
windows-kernel-exploits/blob/master/CVE-2017-0213/CVE-2017-0213.cpp.
17 BlackYe. (3 May 2014). GitHub, Inc. “ReadPsw.cpp.” Last accesed on 20 January 2020 at https://github.com/blackye/remote_
control/blob/master/Server/ReadPsw.cpp.
18 Rapid7. (24 July 2017). GitHub, Inc. “ enum_cred_store.rb.” Last accessed on 20 January 2020 at https://github.com/rapid7/
metasploit-framework/blob/master/modules/post/windows/gather/credentials/enum_cred_store.rb.
19 Clément Lavoillotte. (15 September 2017). Almond. “UAC bypass via elevated .NET applications.” Last accessed on 20
January 2020 at https://offsec.provadys.com/UAC-bypass-dotnet.html.
20 Rapid7. (28 February 2014). GitHub, Inc. “Win7Elevate_Inject.cpp.” Last accessed on 20 January 2020 at https://github.com/
rapid7/metasploit-framework/blob/master/external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp.