Headline
Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described DarkCasino as an “economically motivated” actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good
Advanced Persistent Threat / Zero-Day
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT).
Cybersecurity company NSFOCUS has described DarkCasino as an “economically motivated” actor that first came to light in 2021.
“DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process,” the company said in an analysis.
“Attacks launched by the APT group DarkCasino are very frequent, demonstrating a strong desire to steal online property.”
DarkCasino was most recently linked to the zero-day exploitation of CVE-2023-38831 (CVSS score: 7.8), a security flaw that can be weaponized to launch malicious payloads.
In August 2023, Group-IB disclosed real-world attacks weaponizing the vulnerability aimed at online trading forums at least since April 2023 to deliver a final payload named DarkMe, which is a Visual Basic trojan attributed to DarkCasino.
The malware is equipped to collect host information, take screenshots, manipulate files and Windows Registry, execute arbitrary commands, and self-update itself on the compromised host.
While DarkCasino was previously classified as a phishing campaign orchestrated by the EvilNum group targeting European and Asian online gambling, cryptocurrency, and credit platforms, NSFOCUS said its continuous tracking of the adversary’s activities has allowed it rule out any potential connections with known threat actors.
The exact provenance of the threat actor is currently unknown.
“In the early days, DarkCasino mainly operated in countries around the Mediterranean and other Asian countries using online financial services,” it said.
“More recently, with the change of phishing methods, its attacks have reached users of cryptocurrencies worldwide, even including non-English-speaking Asian countries such as South Korea and Vietnam.”
Multiple threat actors have joined the CVE-2023-38831 exploitation bandwagon in recent months, including APT28, APT40, Dark Pink, Ghostwriter, Konni, and Sandworm.
Ghostwriter’s attack chains leveraging the shortcoming have been observed to pave the way for PicassoLoader, an intermediate malware that acts as a loader for other payloads.
“The WinRAR vulnerability CVE-2023-38831 brought by the APT group DarkCasino brings uncertainties to the APT attack situation in the second half of 2023,” NSFOCUS said.
“Many APT groups have taken advantage of the window period of this vulnerability to attack critical targets such as governments, hoping to bypass the protection system of the targets and achieve their purposes.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
By Waqas UAC-0099 is a pro-Russian hacking group that has been targeting Ukraine since the conflict between the two countries began. This is a post from HackRead.com Read the original post: UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct said in a Thursday analysis. UAC-0099 was first
By Waqas Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) is thought to have affiliations with or support from the Russian military intelligence agency. This is a post from HackRead.com Read the original post: Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities. Check Point, which detailed Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are
The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a
State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.
A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively
Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as
A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as
This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain. “Visiting the link will download a ZIP archive containing three JPG images (
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
By Habiba Rashid The 0-day vulnerability in WinRAR, which has been exploited, is targeting traders and has successfully stolen funds from 130 victims so far. This is a post from HackRead.com Read the original post: WinRAR users update your software as 0-day vulnerability is found
RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.