Darkme

Threat Actor updated 7 months ago (2024-05-04T18:19:18.346Z)

Download STIX

Preview STIX

DarkMe is a threat actor group, also known as DarkCasino or Water Hydra, that has been actively executing large-scale cyberattacks since 2022. The group primarily uses a Visual Basic spy Trojan, also named DarkMe, in its operations. This Trojan was developed by the group in 2021 and has been continually refined to improve its functionality, countermeasures, and delivery methods, thereby increasing the stability and efficiency of attacks. The DarkMe Trojan's functions and use have remained consistent across different attack rounds, as observed in the NSFOCUS Research Labs' report on Operation DarkCasino. The group has exploited several vulnerabilities to distribute their malware, most notably CVE-2023-38831. Despite Microsoft's efforts to address this vulnerability with a patch in February 2024, DarkCasino weaponized it to specifically target financial institutions. The group has used this vulnerability for remote code execution, installing various malware families, including DarkMe, GuLoader, and Remcos RAT. Since April 2023, DarkCasino has also been exploiting a WinRAR zero-day vulnerability to execute multiple malware families onto cryptocurrency traders. Researchers at Group-IB discovered this campaign and found that the hackers used malware families like DarkMe, GuLoader, and Remcos RAT for financial gain. Real-world attacks involving CVE-2023-38831 delivering the DarkMe payload were reported as early as April this year, further emphasizing the persistent and evolving threat posed by this group.

Description last updated: 2024-05-04T17:50:35.966Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Water Hydra is a possible alias for Darkme. Water Hydra, also known as DarkCasino, is a threat actor group that has been exploiting the Windows SmartScreen vulnerability CVE-2024-21412 since mid-January 2024. This group has demonstrated a sophisticated attack chain, using this zero-day exploit to bypass Microsoft Defender SmartScreen and infe	4
Darkcasino is a possible alias for Darkme. DarkCasino is a threat actor that has recently emerged in the cybersecurity landscape. As a malicious entity, it's responsible for executing actions with potentially harmful intent. The nature of such entities can range from individual hackers to more organized groups affiliated with private compani	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Trojan

Vulnerability

Malware

WinRAR

Apt

Remcos

Microsoft

Zero Day

Payload

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The GuLoader Malware is associated with Darkme. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for r	Unspecified	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2024-21412 Vulnerability is associated with Darkme. CVE-2024-21412 is a security feature bypass vulnerability in the Microsoft Windows Internet Shortcut SmartScreen. The flaw, which was exploited as a zero-day, allows attackers to bypass the SmartScreen feature that typically warns users about running unrecognized apps and files from the internet. Th	Unspecified	3

Source Document References

Information about the Darkme Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	CVE-2024-21412 Used in DarkGate Malware Campaigns
CERT-EU	a year ago	Cyber Security Week in Review: August 25, 2023
CERT-EU	a year ago	The Week in Security: WinRAR exploit targets traders, malicious npm packages go after game devs
CERT-EU	a year ago	Previously unknown APT DarkCasino hits jackpot in WinRAR attack
CERT-EU	a year ago	The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
CERT-EU	a year ago	WinRAR zero-day exploited since April to hack trading accounts
BankInfoSecurity	a year ago	Nation-State Hackers Exploiting WinRAR, Google Warns
CERT-EU	a year ago	Threat Actor Exploits Zero-Day in WinRAR to Target Crypto Accounts
InfoSecurity-magazine	a year ago	WinRAR Vulnerability Affects Traders Worldwide
InfoSecurity-magazine	9 months ago	Water Hydra’s Zero-Day Attack Chain Targets Financial Traders
Securityaffairs	a year ago	DarkCasino joins the list of APT groups exploiting WinRAR 0day
CERT-EU	a year ago	WinRAR flaw lets hackers steal funds from broker accounts
CERT-EU	a year ago	Google links WinRAR exploitation to Russian, Chinese state hackers
CERT-EU	a year ago	Traders Targeted by Cybercriminals in Attack Exploiting WinRAR Zero-Day
DARKReading	9 months ago	Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
Trend Micro	9 months ago	CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
CERT-EU	a year ago	Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR