DarkCasino (Water Hydra) – Threat Actor

DarkCasino
Other Names	Water Hydra
Location	Unknown
Date of initial activity	2021
Suspected attribution	Unknown
Motivation	Steal money from banks, cryptocurrency platforms, forex and stock trading platforms, gambling sites, and casinos worldwide
Associated tools	DarkMe Malware

Overview

DarkCasino was first discovered in 2021 and has previously launched attacks against banks, cryptocurrency platforms, gambling sites and casinos, and stock trading platforms. The name of DarkCasino comes from a large-scale APT attack of the same name captured by NSFOCUS Research Labs in 2022.

Initially, the group’s attacks were attributed to the Evilnum APT group due to similar phishing techniques and other TTPs.

Common targets

The APT group DarkCasino mainly targets various online trading platforms in Europe, Asia, the Middle East and other regions, covering industries such as cryptocurrencies, online casinos, network banks and online credit platforms. DarkCasino is good at obtaining assets deposited by victims in online accounts by stealing passwords from target hosts.

Attack Vectors

The group mainly use malicious shortcuts, image steganography and other technologies to realize spearphishing attacks.

How they operate

DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process. In the early days, the APT group DarkCasino mainly drew on the attack idea of an APT attacker named Evilnum and used malicious shortcuts, image steganography and other technologies to realize phishing attacks. The overall process design was also similar to that of Evilnum, so NSFOCUS Research Labs once attributed this organization to Evilnum; after H2 2022, DarkCasino gradually abandoned the attack idea borrowed from Evilnum and developed a set of multi-level loading patterns based on several Visual Basic components, thus implementing many larger-scale network attacks. In 2021, the APT group DarkCasino developed a Visual Basic-based Trojan Horse program called DarkMe and constantly refined the details of the attack process around it to improve its functions, countermeasures and delivery methods, thus enhancing the stability and efficiency of attacks. References: