Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw

Cyber Security Threat Summary:
The hacking group known as DarkCasino was observed utilizing the recently disclosed security flaw in WinRAR as a zero day attack, redefining itself as an advanced persistent threat. This financially motivated actor, identified in 2021, possesses significant technical prowess and blends various APT attack technologies in their operations. DarkCasino recently exploited CVE-2023-38831, a vulnerability rated with a CVSS score of 7.8, known for enabling the launch of malicious payloads. In August 2023, Group IB disclosed real world attacks leveraging this flaw, targeting online trading forums and distributing DarkMe, a Visual Basic trojan attributed to DarkCasino. DarkMe collects data takes screenshots, manipulates files, executes commands, and self updates on compromised systems. Initially associated with phishing campaigns by EvilNum, DarkCasino’s activities expanded globally moving from the Mediterranean and Asian countries to targeting cryptocurrency users worldwide, including non-English speaking Asian nations.

Security Officer Comments:
Numerous threat actors, like APT28, APT40, Dark Pink, Ghostwriter, Konni, and Sandstorm, have exploited CVE-2023-38831. Ghostwriter’s prior use of this vulnerability introduced the PicassoLoader acting as a gateway for additional malicious software. Researchers at NSFOCUS emphasized the uncertainty resulting from DarkCasino’s exploitation of the WinRAR vulnerability, creating an opportunity for multiple APT groups to target critical entities, and attempt to bypass their protection systems during the latter part of 2023.


Zero days can be tough to mitigate depending on what type of device or piece of software is susceptible. The time gap between the production, release, and deployment of a patch and vulnerability disclosure is the most critical aspect of zero vulnerabilities or anyone for that matter. An attacker can leverage a vulnerability from when it's known until systems are patched, which is why vulnerabilities must be responsibly disclosed to vendors. Unfortunately, until development teams release a patch or effective mitigation, there is not much companies can do to prevent attackers from leveraging unpatched systems, especially those exposed to the internet - aside from taking them offline entirely. A disconnect can significantly impact business functions which is why those who fill IT Leadership roles must communicate the possible implications, risks, and overall impact to business leaders so decisions can be made that favor all aspects of the business totality. Applying defense-in-depth strategies and zero-trust can significantly assist in preventing the exploitation of zero-days. Still, it may not contain a full-blown attack depending on the severity and type of exploit possible.