If your organization dabbles in crypto, online trading, or internet money magic, we’ve got bad news: DarkCasino is dealing dirty hands in your sector.
DarkCasino is an APT threat group actively targeting online trading platforms worldwide. This sophisticated actor specializes in stealing credentials to drain victims' accounts across multiple financial sectors including cryptocurrencies, online casinos, banking, and credit platforms.
Industry: Crypto trading platforms, online casinos, network banks & online credit platforms
CVEs: CVE-2024-21412, CVE-2023-38831
DarkCasino, also known as Water Hydra, has been a significant player in 2024, targeting financial institutions with advanced tactics. Key methods include exploiting CVE-2024-21412 (Microsoft Defender SmartScreen) and abusing WebDAV to execute remote commands, escalate privileges, and maintain stealth. If you're staring at your SIEM thinking, “Did I just blink and miss that?”—we've got you. We've partnered with Intel471 to hook you up with some of the TTPs observed and specific to various SecOps platforms you may use. If we missed one let us know!
Behavioral Hunts:
- The Abnormal Execution of WebDAV DLL via Rundll32
- Windows cmd Launching Script Interpreter
- 7z Password Protected Archive Accessed
PS- This isn't just another APT spotlight.
It’s a reminder that threat actors don’t need new tactics if the old ones still hit the jackpot.
Detect DarkCasino Activities
// Cyborg Hunter Link: https://hunter.cyborgsecurity.io/research/hunt-package/43542c5b-f282-4834-8602-ab2d076359c2
event_platform = "Win"
| where event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
// Filtering processes that execute suspicious scripts or files
| where (FileName matches regex "(?i)(cmd|wscript|powershell|rundll32|mshta)\.exe"
and CommandLine matches regex "\.(js|hta|bat|cmd|ps1|vbs)")
or (ParentBaseFileName == "explorer.exe"
and CommandLine matches regex "\.(iso|scr)|\]\.exe")
| where CommandLine matches regex "AppData\\Local\\Microsoft\\Windows\\INetCache\\IE"
// Assign default value for GrandParentBaseFileName if missing
| extend GrandParentBaseFileName = iff(isempty(GrandParentBaseFileName), "Unknown", GrandParentBaseFileName)
// Base URL for process and graph explorer links
| let rootURL = "https://falcon.us-2.crowdstrike.com/"
// Normalize ProcessStartTime
| extend ProcessStartTime = round(ProcessStartTime)
| extend processStart = format_datetime(ProcessStartTime, "MM/dd HH:mm:ss")
// Use Context Process ID if available, otherwise use Target Process ID
| extend ContextId = iff(isnotempty(ContextProcessId), ContextProcessId, TargetProcessId)
// Create URLs for Process and Graph Explorers
| extend ProcessExplorer = strcat("[ProcessExplorer]", rootURL, "investigate/process-explorer/", aid, "/", ContextId, "?_cid=", cid)
| extend GraphExplorer = strcat("[GraphExplorer]", rootURL, "graphs/process-explorer/graph?id=pid:", aid, ":", TargetProcessId)
// Format Execution Details for easy analysis
| extend ExecutionSummary = strcat(
GrandParentBaseFileName, "\n\t↳ ", ParentBaseFileName, "[ppid=", ParentProcessId, "]\n\t\t↳ ",
ImageFileName, " [pid=", TargetProcessId, "|raw_pid=", RawProcessId, "|start=", processStart, "]\n\t\t\t",
substring(CommandLine, 0, 100), "[...TRIMMED]\n\t\t\t", ProcessExplorer, "\n\t\t\t", GraphExplorer, "\n---"
)
// Group by Source Host
| summarize
executeCount = count(aid),
firstSeen = min(@timestamp),
lastSeen = max(@timestamp),
executionDetails = make_list(pack("UserName", UserName, "ExecutionSummary", ExecutionSummary,
"CommandLine", CommandLine, "ParentBaseFileName", ParentBaseFileName,
"ParentProcessId", ParentProcessId, "ImageFileName", ImageFileName,
"TargetProcessId", TargetProcessId), 1000)
by ComputerName
| extend firstSeen = format_datetime(firstSeen, "yyyy/MM/dd HH:mm:ss")
| extend lastSeen = format_datetime(lastSeen, "yyyy/MM/dd HH:mm:ss")
Hunting Query for Splunk (EDR)
index=* sourcetype=* TERM("INetCache")
(
(process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe")
AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*"))
OR
(parent_process_path="*explorer.exe"
AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
)
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = case(parent_process_id like "%x%", tonumber(parent_process_id, 16))
| eval processID = case(process_id like "%x%", tonumber(process_id, 16))
| stats
values(_time) as eventTimes,
values(parent_process_path) as parentProcessPaths,
values(process_cmdline) as commandLines,
values(parent_process_id) as rawParentProcessIds,
values(parentProcessID) as parentProcessIds,
values(process_id) as rawProcessIds,
values(processID) as processIds,
count
by process_path, hostname
| convert ctime(eventTimes)
| sort eventTimes asc
Hunting Query for Splunk (Endpoint - Sysmon)
index=* sourcetype=* TERM("INetCache")
(
(process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe")
AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*"))
OR
(parent_process_path="*explorer.exe"
AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
)
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = if(match(parent_process_id, "^0x"), tonumber(parent_process_id, 16), parent_process_id)
| eval processID = if(match(process_id, "^0x"), tonumber(process_id, 16), process_id)
| stats
values(_time) as eventTimes,
values(parent_process_path) as parentProcessPaths,
values(process_cmdline) as commandLines,
values(parent_process_id) as rawParentProcessIds,
values(parentProcessID) as parentProcessIds,
values(process_id) as rawProcessIds,
values(processID) as processIds,
count
by process_path, hostname
| convert ctime(eventTimes)
| sort eventTimes asc
Hunting Query for Splunk (Endpoint - WinEventLog)
index=* sourcetype=* TERM("INetCache")
(
(process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe")
AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*"))
OR
(parent_process_path="*explorer.exe"
AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
)
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = if(match(parent_process_id, "^0x"), tonumber(parent_process_id, 16), parent_process_id)
| eval processID = if(match(process_id, "^0x"), tonumber(process_id, 16), process_id)
| stats
values(_time) as eventTimes,
values(parent_process_path) as parentProcessPaths,
values(process_cmdline) as commandLines,
values(parent_process_id) as rawParentProcessIds,
values(parentProcessID) as parentProcessIds,
values(process_id) as rawProcessIds,
values(processID) as processIds,
count
by process_path, hostname
| convert ctime(eventTimes)
| sort eventTimes asc
Hunting Query for Crowdstrike (LogScale, XDR)
// Cyborg Hunter Link: https://hunter.cyborgsecurity.io/research/hunt-package/43542c5b-f282-4834-8602-ab2d076359c2
event_platform=Win
| in(#event_simpleName, values=["ProcessRollup2","SyntheticProcessRollup2"])
| (
FileName=~ /(cmd|wscript|powershell|rundll32|mshta)\.exe/i
AND CommandLine=~ /\.(js|hta|bat|cmd|ps1|vbs)/i
)
OR
(
ParentBaseFileName="explorer.exe"
AND CommandLine=~ /\.(iso|scr)|\]\.exe/i
)
| CommandLine=~ /AppData\\Local\\Microsoft\\Windows\\INetCache\\IE/i
| default(field=GrandParentBaseFileName, value="Unknown")
// Define base URL for process and graph explorer links
| rootURL := "https://falcon.us-2.crowdstrike.com/"
// Standardize Process Start Time
| ProcessStartTime := round(ProcessStartTime)
| processStart := formattime(field=ProcessStartTime, format="%m/%d %H:%M:%S")
// Determine Context Process ID
| case{
ContextProcessId != "*" | ContextId := ContextProcessId;
TargetProcessId != "*" | ContextId := TargetProcessId
}
// Generate Process and Graph Explorer URLs
| format(
"[ProcessExplorer]%sinvestigate/process-explorer/%s/%s?_cid=%s",
field=["rootURL", "aid", "ContextId", "cid"],
as="ProcessExplorer"
)
| format(
"[GraphExplorer]%sgraphs/process-explorer/graph?id=pid:%s:%s",
field=["rootURL", "aid", "TargetProcessId"],
as="GraphExplorer"
)
// Format Execution Summary
| format(
"%s\n\t↳ %s [ppid=%s]\n\t\t↳ %s [pid=%s | raw_pid=%s | start=%s]\n\t\t\t%,.100s [...TRIMMED]\n\t\t\t%s\n\t\t\t%s\n---",
field=[
GrandParentBaseFileName, ParentBaseFileName, ParentProcessId,
ImageFileName, TargetProcessId, RawProcessId, processStart,
CommandLine, ProcessExplorer, GraphExplorer
],
as="ExecutionSummary"
)
// Grouping by Source Host
| groupBy(
[ComputerName],
function=([
count(aid, as=executeCount),
min(@timestamp, as=firstSeen),
max(@timestamp, as=lastSeen),
collect([
UserName, ExecutionSummary, CommandLine,
ParentBaseFileName, ParentProcessId,
ImageFileName, TargetProcessId
], limit=1000)
])
)
// Format timestamps
| firstSeen := formattime(field=firstSeen, format="%Y/%m/%d %H:%M:%S")
| lastSeen := formattime(field=lastSeen, format="%Y/%m/%d %H:%M:%S")
Hunting Query for SentinelOne (EDR)
EventType = "Process Creation"
AND (
(
SrcProcName In AnyCase ("cmd.exe", "mshta.exe", "powershell.exe", "rundll32.exe", "wscript.exe")
AND SrcProcCmdLine In Contains AnyCase (".js", ".hta", ".bat", ".cmd", ".ps1", ".vbs")
)
OR
(
(
SrcProcCmdLine In Contains AnyCase (".iso", ".scr")
OR SrcProcCmdline EndsWith AnyCase ".exe"
OR SrcProcCmdLine EndsWith AnyCase ".exe\""
)
AND SrcProcParentName EndsWith AnyCase "explorer.exe"
)
)
AND SrcProcCmdLine Contains AnyCase "AppData\Local\Microsoft\Windows\INetCache\IE"
Hunting Query for Microsoft Defender
DeviceProcessEvents
| where (
(FolderPath has_any ("cmd.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "mshta.exe")
and ProcessCommandLine has_any (".js", ".hta", ".bat", ".cmd", ".ps1", ".vbs"))
or
(InitiatingProcessFileName endswith "explorer.exe"
and ProcessCommandLine has_any (".iso", ".exe\"", ".scr"))
)
| where ProcessCommandLine contains "AppData\\Local\\Microsoft\\Windows\\INetCache\\IE"
| project Timestamp, DeviceName, ActionType, AccountName, AccountDomain, FileName, FolderPath, ProcessId,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName,
InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName,
ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion,
ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName,
ProcessVersionInfoFileDescription, FileSize, SHA256, DeviceId, ReportId
| order by Timestamp asc
Hunting Query for Carbon Black
(((((process_name:cmd.exe OR
process_name:wscript.exe OR
process_name:powershell.exe OR
process_name:rundll32.exe OR
process_name:mshta.exe)
AND
(process_cmdline:.js OR
process_cmdline:.hta OR
process_cmdline:.bat OR
process_cmdline:.cmd OR
process_cmdline:.ps1 OR
process_cmdline:.vbs))
OR
(parent_name:explorer.exe
AND
(process_cmdline:.iso OR
process_cmdline:.scr)))
AND
process_cmdline:AppData\\Local\\Microsoft\\Windows\\INetCache\\IE))
Get Hunting Access (Free)
Want to go deeper than the blog version?
Snag a free HUNTER471 community account here:
👉 intel471.com/lp/hunter-community-access