DarkCasino | |
Other Names | Water Hydra |
Location | Unknown |
Date of initial activity | 2021 |
Suspected attribution | Unknown |
Motivation | Steal money from banks, cryptocurrency platforms, forex and stock trading platforms, gambling sites, and casinos worldwide |
Associated tools | DarkMe Malware |
Overview
DarkCasino was first discovered in 2021 and has previously launched attacks against banks, cryptocurrency platforms, gambling sites and casinos, and stock trading platforms. The name of DarkCasino comes from a large-scale APT attack of the same name captured by NSFOCUS Research Labs in 2022.
Initially, the group’s attacks were attributed to the Evilnum APT group due to similar phishing techniques and other TTPs.
Common targets
The APT group DarkCasino mainly targets various online trading platforms in Europe, Asia, the Middle East and other regions, covering industries such as cryptocurrencies, online casinos, network banks and online credit platforms. DarkCasino is good at obtaining assets deposited by victims in online accounts by stealing passwords from target hosts.
Attack Vectors
The group mainly use malicious shortcuts, image steganography and other technologies to realize attacks.
How they operate
DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process. In the early days, the APT group DarkCasino mainly drew on the attack idea of an APT attacker named Evilnum and used malicious shortcuts, image steganography and other technologies to realize phishing attacks. The overall process design was also similar to that of Evilnum, so NSFOCUS Research Labs once attributed this organization to Evilnum; after H2 2022, DarkCasino gradually abandoned the attack idea borrowed from Evilnum and developed a set of multi-level loading patterns based on several Visual Basic components, thus implementing many larger-scale network attacks.
In 2021, the APT group DarkCasino developed a Visual Basic-based Trojan Horse program called DarkMe and constantly refined the details of the attack process around it to improve its functions, countermeasures and delivery methods, thus enhancing the stability and efficiency of attacks.
References:
- The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
- Traders’ Dollars in Danger: CVE-2023-38831 zero-Day vulnerability in WinRAR exploited by cybercriminals to target traders
- CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day
