A hacking group that leveraged a just lately disclosed safety flaw within the WinRAR software program as a zero-day has now been categorized as a wholly new superior persistent risk (APT).
Cybersecurity firm NSFOCUS has described DarkCasino as an “economically motivated” actor that first got here to gentle in 2021.
“DarkCasino is an APT risk actor with sturdy technical and studying capacity, who is sweet at integrating numerous standard APT assault applied sciences into its assault course of,” the corporate mentioned in an evaluation.
“Assaults launched by the APT group DarkCasino are very frequent, demonstrating a powerful want to steal on-line property.”
DarkCasino was most just lately linked to the zero-day exploitation of CVE-2023-38831 (CVSS rating: 7.8), a safety flaw that may be weaponized to launch malicious payloads.
In August 2023, Group-IB disclosed real-world assaults weaponizing the vulnerability and geared toward on-line buying and selling boards at the very least since April 2023 to ship a ultimate payload named DarkMe, which is a Visible Fundamental trojan attributed to DarkCasino.
The malware is provided to gather host info, take screenshots, manipulate recordsdata and Home windows Registry, execute arbitrary instructions, and self-update itself on the compromised host.
Whereas DarkCasino was beforehand categorised as a phishing marketing campaign orchestrated by the EvilNum group concentrating on European and Asian on-line playing, cryptocurrency, and credit score platforms, NSFOCUS mentioned its steady monitoring of the adversary’s actions has allowed it rule out any potential connections with identified risk actors.
The precise provenance of the risk actor is at the moment unknown.
“Within the early days, DarkCasino primarily operated in international locations across the Mediterranean and different Asian international locations utilizing on-line monetary providers,” it mentioned.
“Extra just lately, with the change of phishing strategies, its assaults have reached customers of cryptocurrencies worldwide, even together with non-English-speaking Asian international locations similar to South Korea and Vietnam.”
A number of risk actors have joined the CVE-2023-38831 exploitation bandwagon in current months, together with APT28, APT40, Darkish Pink, Ghostwriter, Konni, and Sandworm.
Ghostwriter’s assault chains leveraging the shortcoming have been noticed to pave the best way for PicassoLoader, an intermediate malware that acts as a loader for different payloads.
“The WinRAR vulnerability CVE-2023-38831 introduced by the APT group DarkCasino brings uncertainties to the APT assault scenario within the second half of 2023,” NSFOCUS mentioned.
“Many APT teams have taken benefit of the window interval of this vulnerability to assault important targets similar to governments, hoping to bypass the safety system of the targets and obtain their functions.”