Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw
17.11.23  APT  The Hacker News

A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT).

Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021.

"DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process," the company said in an analysis.

"Attacks launched by the APT group DarkCasino are very frequent, demonstrating a strong desire to steal online property."

DarkCasino was most recently linked to the zero-day exploitation of CVE-2023-38831 (CVSS score: 7.8), a security flaw that can be weaponized to launch malicious payloads.

In August 2023, Group-IB disclosed real-world attacks weaponizing the vulnerability and aimed at online trading forums at least since April 2023 to deliver a final payload named DarkMe, which is a Visual Basic trojan attributed to DarkCasino.

The malware is equipped to collect host information, take screenshots, manipulate files and Windows Registry, execute arbitrary commands, and self-update itself on the compromised host.

While DarkCasino was previously classified as a phishing campaign orchestrated by the Evilnum group targeting European and Asian online gambling, cryptocurrency, and credit platforms, NSFOCUS said its continuous tracking of the adversary's activities has allowed it rule out any potential connections with known threat actors.


The exact provenance of the threat actor is currently unknown.

"In the early days, DarkCasino mainly operated in countries around the Mediterranean and other Asian countries using online financial services," it said.

"More recently, with the change of phishing methods, its attacks have reached users of cryptocurrencies worldwide, even including non-English-speaking Asian countries such as South Korea and Vietnam."

Multiple threat actors have joined the CVE-2023-38831 exploitation bandwagon in recent months, including APT28, APT29, APT40, Dark Pink, Ghostwriter, Konni, and Sandworm.

Ghostwriter's attack chains leveraging the shortcoming have been observed to pave the way for PicassoLoader, an intermediate malware that acts as a loader for other payloads.

"The WinRAR vulnerability CVE-2023-38831 brought by the APT group DarkCasino brings uncertainties to the APT attack situation in the second half of 2023," NSFOCUS said.

"Many APT groups have taken advantage of the window period of this vulnerability to attack critical targets such as governments, hoping to bypass the protection system of the targets and achieve their purposes."