Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw

Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw

November 16, 2023 at 09:00AM

A hacking group known as DarkCasino, initially discovered in 2021, has now been categorized as an advanced persistent threat (APT). They have exploited a recently disclosed security flaw in WinRAR software as a zero-day. DarkCasino’s attacks are frequent and they demonstrate a strong desire to steal online property. Multiple threat actors have also exploited the same vulnerability.

Key Takeaways from Meeting Notes:

1. A hacking group called DarkCasino has been categorized as an Advanced Persistent Threat (APT) and is considered an economically motivated actor.
2. DarkCasino is skilled at integrating various popular APT attack technologies into its attacks and frequently launches attacks with a strong desire to steal online property.
3. DarkCasino has recently exploited a security flaw in the WinRAR software (CVE-2023-38831) as a zero-day and has been linked to the delivery of a Visual Basic trojan named DarkMe.
4. The malware used by DarkCasino is capable of collecting host information, taking screenshots, manipulating files and Windows Registry, executing arbitrary commands, and self-updating on compromised hosts.
5. DarkCasino was previously classified as a phishing campaign orchestrated by the EvilNum group but is now considered a distinct threat actor without any known connections to other threat actors.
6. The exact origin of DarkCasino is currently unknown, but it has expanded its attacks globally and targets users of cryptocurrencies.
7. Multiple threat actors, including APT28, APT40, Dark Pink, Ghostwriter, Konni, and Sandworm, have also exploited the CVE-2023-38831 vulnerability in recent months.
8. The WinRAR vulnerability brought by DarkCasino has created uncertainties in the APT attack landscape in the second half of 2023, with many groups taking advantage of the vulnerability to target critical entities such as governments.

Please note that the information provided is based on the meeting notes and the analysis from cybersecurity company NSFOCUS.

Full Article