Microsoft patched a zero-day today that allowed attackers to drop the DarkMe RAT via Windows Defender SmartScreen. According to Trend Micro the threat group known as “DarkCasino” was found using the exploit on New Years Day.
The zero-day (tracked with CVE-2024-21412) allows an unauthenticated attacker to send a user a malicious file that is designed to bypass security checks. This would take a bit of social engineering as the attacker has no way to force the user to open the file, they would have to click the link.
This zero-day resulted from another Windows Defender SmartScreen patch CVE-2023-36025.
DarkCasino was first noticed in the last quarter of 2022 and research suggests they launch large-scale attacks against online trading, gambling, crypto, and other online banking services world-wide. They tend to target users and employees of these services. The most seen techniques (TTPs) used are watering hole and spear phishing.
On various social media platforms the group would post tips to trading and cryptocurrency transactions in order to lure victims.
In 2021 the group developed the DarkMe trojan RAT. With CVE-2023-38831, an execution vulnerability in WInRAR, was one of their first large scale attacks.
Currently its too early to tell if the group is associated with any others however there are several other groups using the same CVEs.
Associated CVEs and groups – DarkCasino, DarkPink, GhostWriter
CVE-2024-2412
CVE-2023-38831
CVE-2023-36025