A new advanced persistent threat (APT) group, known as DarkCasino, has been discovered exploiting a recently uncovered security flaw in the WinRAR software. The group was first identified in 2021 and has been described by cybersecurity firm NSFOCUS as being economically motivated.
The group is said to have strong technical skills and is adept at incorporating various popular APT attack methodologies into its operations. According to NSFOCUS' analysis, "DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process." The group's attacks are frequent, indicating a strong intent to steal online assets.
DarkCasino was most recently linked to the exploitation of the zero-day vulnerability CVE-2023-38831, a flaw that can be used to launch malicious payloads. In August 2023, Group-IB revealed that this vulnerability had been weaponized in real-world attacks targeting online trading forums since at least April 2023. The final payload, named DarkMe, is a Visual Basic trojan attributed to DarkCasino. This malware collects host information, takes screenshots, manipulates files and the Windows Registry, executes arbitrary commands, and can update itself on the compromised host.
Initially, DarkCasino was thought to be a phishing campaign led by the EvilNum group, targeting online gambling, cryptocurrency, and credit platforms in Europe and Asia. However, NSFOCUS' continuous tracking of DarkCasino's activities has ruled out any potential connections with known threat actors. The exact origins of DarkCasino are still unknown.
DarkCasino's operations were initially focused on countries around the Mediterranean and other Asian countries using online financial services. However, with changes in phishing methods, its attacks have expanded to target users of cryptocurrencies worldwide, including non-English-speaking Asian countries like South Korea and Vietnam.
Other threat actors, including APT28, APT40, Dark Pink, Ghostwriter, Konni, and Sandworm, have also exploited the CVE-2023-38831 vulnerability in recent months. Ghostwriter's attack chains using this vulnerability have been observed to pave the way for PicassoLoader, an intermediate malware that acts as a loader for other payloads.
NSFOCUS has warned about the uncertainties brought about by the WinRAR vulnerability CVE-2023-38831, stating, "The WinRAR vulnerability CVE-2023-38831 brought by the APT group DarkCasino brings uncertainties to the APT attack situation in the second half of 2023." Many APT groups have exploited this vulnerability to attack critical targets such as governments, in hopes of bypassing their protection systems.