Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,556
- Points
- 113
Asian countries suffer the most, but hackers can hardly expand their activity zone.
In the field of cybersecurity, a new serious threat is gaining momentum. A group of cybercriminals known as DarkCasino is exploiting a newly discovered vulnerability in the WinRAR software to launch hacking attacks on Asian government organizations.
DarkCasino is described by NSFOCUS experts as an economically motivated group, first discovered in 2021. The group's hackers have advanced technical skills and the ability to learn. Attacks of this group are most often aimed at stealing the online property of Internet users and entire organizations.
The group is particularly active in exploiting the CVE-2023-38831 (CVSS score: 7.8) vulnerability in WinRAR, which allows attackers to execute arbitrary code when a user tries to view a secure file in a ZIP archive.
In August 2023, Group-IB reported attacks targeting online trading forums. The final payload of these attacks is a Visual Basic Trojan named DarkMe, attributed to DarkCasino. This virus can collect host information, take screenshots, manage files and the Windows registry, execute arbitrary commands, and update itself on an infected host.
Previously, DarkCasino was classified as a phishing campaign by the Evilnum group, aimed at users of gambling, cryptocurrencies and credit platforms in Europe and Asia. However, NSFOCUS excludes DarkCasino's association with known threats, separating it from the rest.
According to the researchers, at first DarkCasino mainly worked in the Mediterranean countries, but recently the group's attacks have spread to Asian countries such as South Korea and Vietnam.
In addition to DarkCasino, other hacker groups, including APT28, APT29, APT40, Dark Pink, Ghostwriter, Konni and Sandworm, have joined the exploitation of the CVE-2023-38831 vulnerability in recent months. For example, Ghostwriter uses this vulnerability to distribute the malicious PicassoLoader downloader.
NSFOCUS emphasizes that this WinRAR vulnerability creates uncertainty in the situation with attacks by APT groups in the second half of 2023. Since many groups use this vulnerability at once, it is much more difficult to analyze their activities and involvement in a particular attack.
At the same time, a detailed analysis in each individual case is necessary, since the vulnerability is often used for attacks on critical targets, including governments of different countries.
In the field of cybersecurity, a new serious threat is gaining momentum. A group of cybercriminals known as DarkCasino is exploiting a newly discovered vulnerability in the WinRAR software to launch hacking attacks on Asian government organizations.
DarkCasino is described by NSFOCUS experts as an economically motivated group, first discovered in 2021. The group's hackers have advanced technical skills and the ability to learn. Attacks of this group are most often aimed at stealing the online property of Internet users and entire organizations.
The group is particularly active in exploiting the CVE-2023-38831 (CVSS score: 7.8) vulnerability in WinRAR, which allows attackers to execute arbitrary code when a user tries to view a secure file in a ZIP archive.
In August 2023, Group-IB reported attacks targeting online trading forums. The final payload of these attacks is a Visual Basic Trojan named DarkMe, attributed to DarkCasino. This virus can collect host information, take screenshots, manage files and the Windows registry, execute arbitrary commands, and update itself on an infected host.
Previously, DarkCasino was classified as a phishing campaign by the Evilnum group, aimed at users of gambling, cryptocurrencies and credit platforms in Europe and Asia. However, NSFOCUS excludes DarkCasino's association with known threats, separating it from the rest.
According to the researchers, at first DarkCasino mainly worked in the Mediterranean countries, but recently the group's attacks have spread to Asian countries such as South Korea and Vietnam.
In addition to DarkCasino, other hacker groups, including APT28, APT29, APT40, Dark Pink, Ghostwriter, Konni and Sandworm, have joined the exploitation of the CVE-2023-38831 vulnerability in recent months. For example, Ghostwriter uses this vulnerability to distribute the malicious PicassoLoader downloader.
NSFOCUS emphasizes that this WinRAR vulnerability creates uncertainty in the situation with attacks by APT groups in the second half of 2023. Since many groups use this vulnerability at once, it is much more difficult to analyze their activities and involvement in a particular attack.
At the same time, a detailed analysis in each individual case is necessary, since the vulnerability is often used for attacks on critical targets, including governments of different countries.
