The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits – NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

MITRE Techniques

• [T1566.001] Phishing: Attachment – The campaign uses decoy PDF/BATCH attachments to lure victims into executing malicious files. Quote: “The vulnerability exploitation file was constructed … The batch will open the original decoy pdf file as well as a malicious file named Images.com.”
• [T1189] Drive-by Compromise / Watering Hole – Attackers leverage watering hole phishing via online trading forums and forum posts to disseminate exploits. Quote: “DarkCasino constructed various post contents … lured forum users into opening malicious files attached or pointed to the posts.”
• [T1203] Exploitation for Client Execution – CVE-2023-38831 is an arbitrary execution vulnerability in WinRAR and is exploited to trigger payloads. Quote: “CVE-2023-38831 is an arbitrary execution vulnerability in WinRAR software…”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The attack flow uses batch files and cmd commands (e.g., “cmd /c … reg.exe import add.txt” and “cmd /c rundll32.exe …”). Quote: “The nb.ocx file mainly runs the following cmd commands: cmd /c cd APPDATARarDir&&cmd /c timeout 1&&cmd /c reg.exe import add.txt”
• [T1112] Registry Run Keys / Modify Registry – The batch flow registers a COM component by writing to the host registry. Quote: “cmd /c cd APPDATARarDir&&cmd /c rundll32.exe /sta {EA6FC2FF-7AE6-4534-9495-F688FEC7858C} Mouse_Keyboard”
• [T1059.005] Visual Basic – The DarkMe Trojan is a Visual Basic spy Trojan used in these campaigns. Quote: “The Trojan horse used by DarkCasino in this round of operations is DarkMe, which is commonly used by the group.”
• [T1027] Masquerading / Obfuscated Files and Information – Obfuscation and oversized, obfuscated binaries (DarkMe expanded to over 20MB) to evade detection. Quote: “DarkCasino has added more obfuscation codes to the new Trojan, expanding the whole program file to over 20MB.”
• [T1105] Ingress Tool Transfer – The loader downloads and executes additional payloads from remote locations (e.g., chrmap.exe). Quote: “the subsequent load Trojan will be downloaded from the designated remote location https://allnato[.]net/news/uploads/chrmap.exe”
• [T1071.001] Web Protocols – C2 channel using Discord (AthenaAgent) for command and control. Quote: “uses the discord channel as the CnC server.”
• [T1113] Screen Capture – DarkMe capabilities include host information collection and screen capture. Quote: “DarkMe is a Visual Basic spy Trojan. Its initial version appeared … Currently, it supports host information collection, screenshot…”
• [T1059.003] Command and Scripting Interpreter (duplicate entry for cmd execution) – See above for batch file usage.
• [T1036] Masquerading – Cabinet archive disguised as a .com/file type to execute payload. Quote: “Images.com file, which was exploited to execute batch files … is a loader-type Trojan designed by DarkCasino.”