Darkme

Threat Actor updated 23 days ago (2024-11-29T14:22:10.905Z)
Download STIX
Preview STIX
DarkMe is a threat actor group, also known as DarkCasino or Water Hydra, that has been active since 2022. They have gained notoriety for their use of the Trojan DarkMe in large-scale cyberattacks, primarily targeting financial institutions. The Trojan DarkMe, a Visual Basic spy Trojan, is a common tool used by this group. NSFOCUS Research Labs' detailed analysis reveals that the functionality of the Trojan DarkMe used in recent attacks remains consistent with previous versions employed by DarkCasino. Furthermore, an updated set of intrusions possibly linked to the Deathstalker cyber-mercenary group features an upgraded DarkMe VB6 OCX/DLL implant and more stealthy tactics, techniques, and procedures (TTPs), including a sophisticated infection chain. The group has been exploiting a vulnerability, CVE-2023-38831, to remotely execute code that installs malware from families such as DarkMe, GuLoader, and Remcos RAT. Real-world attacks involving this vulnerability were recorded as early as April of the current year, delivering a payload dubbed DarkMe attributed to DarkCasino. Additionally, since April 2023, hackers have abused a WinRAR zero-day vulnerability to execute multiple malware families onto cryptocurrency traders. Researchers at Group-IB discovered this campaign and found that hackers have utilized malware families like DarkMe, GuLoader, and Remcos RAT for financial gain. Despite Microsoft addressing the CVE-2023-38831 vulnerability in its February 2024 Patch Tuesday updates, threat actors like DarkMe continue to weaponize it to distribute their malware. The obfuscated commands used by the DarkMe downloader further complicate the mitigation efforts. As DarkMe continues to evolve its TTPs and exploit vulnerabilities for their operations, organizations, particularly those in the financial sector, must stay vigilant and employ robust cybersecurity measures to counter these threats.
Description last updated: 2024-11-28T11:45:54.908Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Water Hydra is a possible alias for Darkme. Water Hydra, also known as DarkCasino, is a threat actor group that has been exploiting the Windows SmartScreen vulnerability CVE-2024-21412 since mid-January 2024. This group has demonstrated a sophisticated attack chain, using this zero-day exploit to bypass Microsoft Defender SmartScreen and infe
4
Darkcasino is a possible alias for Darkme. DarkCasino is a threat actor that has recently emerged in the cybersecurity landscape. As a malicious entity, it's responsible for executing actions with potentially harmful intent. The nature of such entities can range from individual hackers to more organized groups affiliated with private compani
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Vulnerability
Malware
WinRAR
Apt
Remcos
Microsoft
Payload
Zero Day
Implant
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The GuLoader Malware is associated with Darkme. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for rUnspecified
3
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2024-21412 Vulnerability is associated with Darkme. CVE-2024-21412 is a security feature bypass vulnerability in the Microsoft Windows Internet Shortcut SmartScreen. The flaw, which was exploited as a zero-day, allows attackers to bypass the SmartScreen feature that typically warns users about running unrecognized apps and files from the internet. ThUnspecified
3
Source Document References
Information about the Darkme Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
24 days ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
InfoSecurity-magazine
10 months ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
10 months ago
Trend Micro
10 months ago
CERT-EU
a year ago