Previously unknown APT DarkCasino hits jackpot in WinRAR attack

Cybersecurity firm NSFOCUS has identified a new advanced persistent threat actor group named DarkCasino, which was behind the attacks that exploited a zero-day flaw in the WinRAR archiving tool, The Hacker News reports. Describing the group as "economically motivated," NSFOCUS said in its analysis that DarkCasino has strong technical and learning capabilities as well as skill in integrating leading APT attack technologies into its attack methodologies. The firm says the group's exact provenance remains unknown, having initially operated mainly in Mediterranean and Asian countries before spreading its reach to non-English-speaking cryptocurrency users in countries including South Korea and Vietnam. Real-world attacks involving CVE-2023-38831 were known to have been committed as early as April this year, delivering a payload dubbed DarkMe that was attributed to DarkCasino. The Visual Basic trojan can collect host information, manipulate the Windows registry and files, take screenshots, and perform self-updates. Numerous other threat actors have joined in on exploiting the flaw since then. "The WinRAR vulnerability CVE-2023-38831 brought by the APT group DarkCasino brings uncertainties to the APT attack situation in the second half of 2023," NSFOCUS said.