DarkCasino WinRAR Exploit: A New APT Threat Emerges
In a recent cybersecurity revelation, a formidable and highly sophisticated cyber threat has surfaced, going by the name DarkCasino. Initially perceived as a phishing campaign orchestrated by the EvilNum group, recent analyses by cybersecurity firm NSFOCUS have reclassified DarkCasino as an advanced persistent threat (APT). This shift in classification is attributed to DarkCasino’s remarkable technical capabilities and its adept integration of various APT attack technologies. In this blog, we’ll uncover the specifics of this DarkCasino WinRAR exploit, shedding light on all the important details.
DarkCasino: An Overview
NSFOCUS, in its evaluation, describes DarkCasino as an “economically motivated” actor who first gained attention in 2021. With a strong technical foundation and a knack for incorporating popular APT attack technologies into its operations, DarkCasino has evolved into a persistent and sophisticated cyber threat actor.
DarkCasino Malicious Activity
Originally perceived as a phishing campaign, DarkCasino’s continuous activities have led NSFOCUS to rule out any connections with known threat actors. The threat actor’s early operations were concentrated in countries surrounding the Mediterranean and other Asian regions, primarily targeting online financial services. However, recent changes in phishing methods have expanded DarkCasino’s reach to cryptocurrency users worldwide, including non-English-speaking Asian countries like South Korea and Vietnam.
DarkCasino WinRAR Exploit And CVE-2023-38831
DarkCasino’s most recent exploits involve the zero-day exploitation of CVE-2023-38831, a security flaw with a significant CVSS score of 7.8. This flaw has become a weapon of choice for DarkCasino, enabling the deployment of malicious payloads. In August 2023, Group-IB disclosed real-world attacks exploiting software vulnerabilities, specifically targeting online trading forums since at least April 2023. The final payload, named DarkMe, is a Visual Basic trojan attributed to DarkCasino.
DarkMe: A Potent Threat
DarkMe, equipped with multifaceted capabilities, poses a severe threat to compromised hosts. Its functionalities include collecting host information, capturing screenshots, manipulating files and Windows Registry, executing arbitrary commands, and self-updating on the compromised host. The sophistication of DarkMe underscores DarkCasino’s commitment to achieving its objectives.
Global Impact and Uncertain Provenance
While DarkCasino was initially associated with the EvilNum group’s phishing campaign targeting European and Asian online gambling, cryptocurrency, and credit platforms, NSFOCUS asserts that continuous tracking has ruled out connections with known threat actors. The exact origin of the threat actor remains unknown, adding an element of mystery to cyber attack prevention.
Collaboration of Threat Actors
Multiple threat actors have joined the exploitation bandwagon of CVE-2023-38831 in recent months. Notable entities such as APT28, APT29, APT40, Dark Pink, Ghostwriter, Konni, and Sandworm have leveraged this vulnerability. Ghostwriter’s attack chains, in particular, have paved the way for PicassoLoader, an intermediate malware acting as a loader for additional payloads.
WinRAR Vulnerability’s Impact on APT Landscape
The WinRAR vulnerability, CVE-2023-38831, introduced by the DarkCasino malware campaign, has presented uncertainties in the APT attack landscape in the latter half of 2023. Exploiting this vulnerability’s window period, several APT groups in cybersecurity have targeted critical entities such as governments, aiming to bypass their protection systems and fulfill their objectives.
Conclusion
DarkCasino’s evolution from a phishing campaign to an advanced persistent threat signifies the ever-changing cybersecurity threat landscape. The exploitation of the WinRAR security flaw has not only showcased DarkCasino’s technical prowess but has also triggered a collaborative effort among various threat actors. As cybersecurity measures continue to evolve, vigilance and proactive defense strategies become imperative in mitigating the risks posed by emerging cyber threats.
The sources for this piece include articles in The Hacker News and ISP.PAGE.