专家揭示DarkCasino：利用WinRAR漏洞的新兴高级持续威胁（APT）

A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT).

利用WinRAR软件最近披露的安全漏洞作为零日的黑客组织现在被归类为全新的高级持续威胁（APT）。

Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021.

网络安全公司NSFOCUS将DarkCasino描述为一个“经济动机驱动”的行为者，该行为者于2021年首次亮相。

"DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process," the company said in an analysis.

公司在分析中表示：“DarkCasino是一个具有强大技术和学习能力的APT威胁行为者，擅长将各种流行的APT攻击技术整合到其攻击过程中。”

"Attacks launched by the APT group DarkCasino are very frequent, demonstrating a strong desire to steal online property."

“DarkCasino的攻击非常频繁，表明其强烈欲望窃取在线财产。”

DarkCasino was most recently linked to the zero-day exploitation of CVE-2023-38831 (CVSS score: 7.8), a security flaw that can be weaponized to launch malicious payloads.

DarkCasino最近与CVE-2023-38831（CVSS评分：7.8）的零日利用相关联，这是一种可以武器化以启动恶意载荷的安全漏洞。

In August 2023, Group-IB disclosed real-world attacks weaponizing the vulnerability and aimed at online trading forums at least since April 2023 to deliver a final payload named DarkMe, which is a Visual Basic trojan attributed to DarkCasino.

在2023年8月，Group-IB披露了利用该漏洞的实际攻击，旨在至少自2023年4月以来针对在线交易论坛传递名为DarkMe的最终载荷，这是归因于DarkCasino的Visual Basic木马。

The malware is equipped to collect host information, take screenshots, manipulate files and Windows Registry, execute arbitrary commands, and self-update itself on the compromised host.

该恶意软件配备了收集主机信息，截取屏幕截图，操纵文件和Windows注册表，执行任意命令以及在受损主机上自我更新的功能。

While DarkCasino was previously classified as a phishing campaign orchestrated by the EvilNum group targeting European and Asian online gambling, cryptocurrency, and credit platforms, NSFOCUS said its continuous tracking of the adversary's activities has allowed it rule out any potential connections with known threat actors.

虽然DarkCasino以前被分类为由EvilNum组织策划的针对欧洲和亚洲在线赌博、加密货币和信用平台的网络钓鱼活动，但NSFOCUS表示其对对手活动的持续跟踪使其能够排除与已知威胁行为者的任何潜在联系。

The exact provenance of the threat actor is currently unknown.

威胁行为者的确切起源目前未知。

"In the early days, DarkCasino mainly operated in countries around the Mediterranean and other Asian countries using online financial services," it said.

“在早期，DarkCasino主要在地中海周围的国家和其他亚洲国家使用在线金融服务运作，”它说。

"More recently, with the change of phishing methods, its attacks have reached users of cryptocurrencies worldwide, even including non-English-speaking Asian countries such as South Korea and Vietnam."

“最近，随着网络钓鱼方法的改变，其攻击已经达到了全球加密货币用户，甚至包括韩国和越南等非英语国家的用户。”

Multiple threat actors have joined the CVE-2023-38831 exploitation bandwagon in recent months, including APT28, APT40, Dark Pink, Ghostwriter, Konni, and Sandworm.

近几个月来，多个威胁行为者加入了CVE-2023-38831利用浪潮，包括APT28、APT40、Dark Pink、Ghostwriter、Konni和Sandworm。

Ghostwriter's attack chains leveraging the shortcoming have been observed to pave the way for PicassoLoader, an intermediate malware that acts as a loader for other payloads.

观察到Ghostwriter利用该漏洞的攻击链为PicassoLoader铺平了道路，这是一种充当其他载荷加载器的中间恶意软件。

"The WinRAR vulnerability CVE-2023-38831 brought by the APT group DarkCasino brings uncertainties to the APT attack situation in the second half of 2023," NSFOCUS said.

NSFOCUS表示：“由APT组织DarkCasino引起的WinRAR漏洞CVE-2023-38831给2023年下半年的APT攻击局势带来了不确定性。”

"Many APT groups have taken advantage of the window period of this vulnerability to attack critical targets such as governments, hoping to bypass the protection system of the targets and achieve their purposes."

“许多APT组织利用此漏洞的窗口期攻击政府等关键目标，希望绕过目标的保护系统并实现其目的。”

原文始发于微信公众号（知机安全）：专家揭示DarkCasino：利用WinRAR漏洞的新兴高级持续威胁（APT）