ASEC20REPORT_vol.91.pdf (3 MB)

AhnLab’s ASEC Report Vol.91 describes Operation Red Gambler, a campaign tracked from October 2016 to August 2017 in which a Korea-focused hacking group referred to as “Group A” distributed malware to steal information from domestic Go-Stop and poker-style web-board game users. The activity shifted from earlier institution- and company-focused operations toward financially motivated attacks against ordinary users, abusing modified utility-software installers, lookalike download links, and later PC-café management environments to deliver malware. The malware bypassed UAC through `mscfile` registry hijacking and `eventvwr.exe`, dropped `taskeng.exe` and `wrmk.dll`, injected into targeted game processes with `SetWindowsHookExA`, captured game-room and screen data through memory-hacking routines, and sent encrypted data to C&C servers for use in gambling fraud. ASEC linked the campaign to prior Korea-focused attacks through shared encryption/decryption code patterns, while naming the actor only as “Group A” rather than directly attributing it to Lazarus or DPRK in this section.