DarkCasino: New Emerging APT Threat

Protect your financial assets with platform-specific hunting queries

DarkCasino is an emerging APT threat group actively targeting online trading platforms worldwide. This sophisticated actor specializes in stealing credentials to drain victims' accounts across multiple financial sectors including cryptocurrencies, online casinos, banking, and credit platforms. If you're interested in deeper threat intelligence on this group, you can sign up for a free HUNTER471 community account today: intel471.com/lp/hunter-community-access

Industry: Crypto trading platforms, online casinos, network banks & online credit platforms

CVEs: CVE-2024-21412, CVE-2023-38831

DarkCasino, also known as Water Hydra, has been a significant player in 2024, targeting financial institutions with advanced tactics. Key methods include exploiting CVE-2024-21412 (Microsoft Defender SmartScreen) and abusing WebDAV to execute remote commands, escalate privileges, and maintain stealth.

Behavioral Hunts:

• The Abnormal Execution of WebDAV DLL via Rundll32
• Windows cmd Launching Script Interpreter
• 7z Password Protected Archive Accessed

‍

‍

Detect DarkCasino Activities

// Cyborg Hunter Link: https://hunter.cyborgsecurity.io/research/hunt-package/43542c5b-f282-4834-8602-ab2d076359c2

event_platform = "Win"
| where event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
// Filtering processes that execute suspicious scripts or files
| where (FileName matches regex "(?i)(cmd|wscript|powershell|rundll32|mshta)\.exe" 
        and CommandLine matches regex "\.(js|hta|bat|cmd|ps1|vbs)") 
    or (ParentBaseFileName == "explorer.exe" 
        and CommandLine matches regex "\.(iso|scr)|\]\.exe")
| where CommandLine matches regex "AppData\\Local\\Microsoft\\Windows\\INetCache\\IE"
// Assign default value for GrandParentBaseFileName if missing
| extend GrandParentBaseFileName = iff(isempty(GrandParentBaseFileName), "Unknown", GrandParentBaseFileName)
// Base URL for process and graph explorer links
| let rootURL = "https://falcon.us-2.crowdstrike.com/"
// Normalize ProcessStartTime
| extend ProcessStartTime = round(ProcessStartTime)
| extend processStart = format_datetime(ProcessStartTime, "MM/dd HH:mm:ss")
// Use Context Process ID if available, otherwise use Target Process ID
| extend ContextId = iff(isnotempty(ContextProcessId), ContextProcessId, TargetProcessId)
// Create URLs for Process and Graph Explorers
| extend ProcessExplorer = strcat("[ProcessExplorer]", rootURL, "investigate/process-explorer/", aid, "/", ContextId, "?_cid=", cid)
| extend GraphExplorer = strcat("[GraphExplorer]", rootURL, "graphs/process-explorer/graph?id=pid:", aid, ":", TargetProcessId)
// Format Execution Details for easy analysis
| extend ExecutionSummary = strcat(
    GrandParentBaseFileName, "\n\t↳ ", ParentBaseFileName, "[ppid=", ParentProcessId, "]\n\t\t↳ ", 
    ImageFileName, " [pid=", TargetProcessId, "|raw_pid=", RawProcessId, "|start=", processStart, "]\n\t\t\t", 
    substring(CommandLine, 0, 100), "[...TRIMMED]\n\t\t\t", ProcessExplorer, "\n\t\t\t", GraphExplorer, "\n---"
)
// Group by Source Host
| summarize 
    executeCount = count(aid), 
    firstSeen = min(@timestamp), 
    lastSeen = max(@timestamp), 
    executionDetails = make_list(pack("UserName", UserName, "ExecutionSummary", ExecutionSummary, 
                                      "CommandLine", CommandLine, "ParentBaseFileName", ParentBaseFileName, 
                                      "ParentProcessId", ParentProcessId, "ImageFileName", ImageFileName, 
                                      "TargetProcessId", TargetProcessId), 1000) 
    by ComputerName
| extend firstSeen = format_datetime(firstSeen, "yyyy/MM/dd HH:mm:ss")
| extend lastSeen = format_datetime(lastSeen, "yyyy/MM/dd HH:mm:ss")

Hunting Query for Splunk (EDR)

index=* sourcetype=* TERM("INetCache") 
(
    (process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe") 
     AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*")) 
    OR 
    (parent_process_path="*explorer.exe" 
     AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
) 
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = case(parent_process_id like "%x%", tonumber(parent_process_id, 16))
| eval processID = case(process_id like "%x%", tonumber(process_id, 16))
| stats 
    values(_time) as eventTimes, 
    values(parent_process_path) as parentProcessPaths, 
    values(process_cmdline) as commandLines, 
    values(parent_process_id) as rawParentProcessIds, 
    values(parentProcessID) as parentProcessIds, 
    values(process_id) as rawProcessIds, 
    values(processID) as processIds, 
    count 
    by process_path, hostname  
| convert ctime(eventTimes)
| sort eventTimes asc

Hunting Query for Splunk (Endpoint - Sysmon)

index=* sourcetype=* TERM("INetCache") 
(
    (process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe") 
     AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*")) 
    OR 
    (parent_process_path="*explorer.exe" 
     AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
) 
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = if(match(parent_process_id, "^0x"), tonumber(parent_process_id, 16), parent_process_id)
| eval processID = if(match(process_id, "^0x"), tonumber(process_id, 16), process_id)
| stats 
    values(_time) as eventTimes, 
    values(parent_process_path) as parentProcessPaths, 
    values(process_cmdline) as commandLines, 
    values(parent_process_id) as rawParentProcessIds, 
    values(parentProcessID) as parentProcessIds, 
    values(process_id) as rawProcessIds, 
    values(processID) as processIds, 
    count 
    by process_path, hostname  
| convert ctime(eventTimes)
| sort eventTimes asc

Hunting Query for Splunk (Endpoint - WinEventLog)

index=* sourcetype=* TERM("INetCache") 
(
    (process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe") 
     AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*")) 
    OR 
    (parent_process_path="*explorer.exe" 
     AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
) 
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = if(match(parent_process_id, "^0x"), tonumber(parent_process_id, 16), parent_process_id)
| eval processID = if(match(process_id, "^0x"), tonumber(process_id, 16), process_id)
| stats 
    values(_time) as eventTimes, 
    values(parent_process_path) as parentProcessPaths, 
    values(process_cmdline) as commandLines, 
    values(parent_process_id) as rawParentProcessIds, 
    values(parentProcessID) as parentProcessIds, 
    values(process_id) as rawProcessIds, 
    values(processID) as processIds, 
    count 
    by process_path, hostname  
| convert ctime(eventTimes)
| sort eventTimes asc

Hunting Query for Crowdstrike (LogScale, XDR)

// Cyborg Hunter Link: https://hunter.cyborgsecurity.io/research/hunt-package/43542c5b-f282-4834-8602-ab2d076359c2

event_platform=Win
| in(#event_simpleName, values=["ProcessRollup2","SyntheticProcessRollup2"])
| (
    FileName=~ /(cmd|wscript|powershell|rundll32|mshta)\.exe/i 
    AND CommandLine=~ /\.(js|hta|bat|cmd|ps1|vbs)/i
) 
OR 
(
    ParentBaseFileName="explorer.exe" 
    AND CommandLine=~ /\.(iso|scr)|\]\.exe/i
)  
| CommandLine=~ /AppData\\Local\\Microsoft\\Windows\\INetCache\\IE/i
| default(field=GrandParentBaseFileName, value="Unknown")

// Define base URL for process and graph explorer links
| rootURL := "https://falcon.us-2.crowdstrike.com/"

// Standardize Process Start Time
| ProcessStartTime := round(ProcessStartTime)
| processStart := formattime(field=ProcessStartTime, format="%m/%d %H:%M:%S")

// Determine Context Process ID
| case{
    ContextProcessId != "*" | ContextId := ContextProcessId; 
    TargetProcessId != "*" | ContextId := TargetProcessId
}

// Generate Process and Graph Explorer URLs
| format(
    "[ProcessExplorer]%sinvestigate/process-explorer/%s/%s?_cid=%s", 
    field=["rootURL", "aid", "ContextId", "cid"], 
    as="ProcessExplorer"
)
| format(
    "[GraphExplorer]%sgraphs/process-explorer/graph?id=pid:%s:%s", 
    field=["rootURL", "aid", "TargetProcessId"], 
    as="GraphExplorer"
)

// Format Execution Summary
| format(
    "%s\n\t↳ %s [ppid=%s]\n\t\t↳ %s [pid=%s | raw_pid=%s | start=%s]\n\t\t\t%,.100s [...TRIMMED]\n\t\t\t%s\n\t\t\t%s\n---",
    field=[
        GrandParentBaseFileName, ParentBaseFileName, ParentProcessId, 
        ImageFileName, TargetProcessId, RawProcessId, processStart, 
        CommandLine, ProcessExplorer, GraphExplorer
    ], 
    as="ExecutionSummary"
)

// Grouping by Source Host
| groupBy(
    [ComputerName], 
    function=([
        count(aid, as=executeCount), 
        min(@timestamp, as=firstSeen), 
        max(@timestamp, as=lastSeen), 
        collect([
            UserName, ExecutionSummary, CommandLine, 
            ParentBaseFileName, ParentProcessId, 
            ImageFileName, TargetProcessId
        ], limit=1000)
    ])
)

// Format timestamps
| firstSeen := formattime(field=firstSeen, format="%Y/%m/%d %H:%M:%S")
| lastSeen := formattime(field=lastSeen, format="%Y/%m/%d %H:%M:%S")

Hunting Query for SentinelOne (EDR)

EventType = "Process Creation"
AND (
    (
        SrcProcName In AnyCase ("cmd.exe", "mshta.exe", "powershell.exe", "rundll32.exe", "wscript.exe") 
        AND SrcProcCmdLine In Contains AnyCase (".js", ".hta", ".bat", ".cmd", ".ps1", ".vbs")
    )  
    OR  
    (
        (
            SrcProcCmdLine In Contains AnyCase (".iso", ".scr")
            OR SrcProcCmdline EndsWith AnyCase ".exe"
            OR SrcProcCmdLine EndsWith AnyCase ".exe\""
        )
        AND SrcProcParentName EndsWith AnyCase "explorer.exe"
    )
)  
AND SrcProcCmdLine Contains AnyCase "AppData\Local\Microsoft\Windows\INetCache\IE"

Hunting Query for Microsoft Defender

DeviceProcessEvents
| where (
    (FolderPath has_any ("cmd.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "mshta.exe") 
        and ProcessCommandLine has_any (".js", ".hta", ".bat", ".cmd", ".ps1", ".vbs")) 
    or 
    (InitiatingProcessFileName endswith "explorer.exe" 
        and ProcessCommandLine has_any (".iso", ".exe\"", ".scr"))
)
| where ProcessCommandLine contains "AppData\\Local\\Microsoft\\Windows\\INetCache\\IE"
| project Timestamp, DeviceName, ActionType, AccountName, AccountDomain, FileName, FolderPath, ProcessId, 
          ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, 
          InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, 
          InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, 
          ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion, 
          ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName, 
          ProcessVersionInfoFileDescription, FileSize, SHA256, DeviceId, ReportId
| order by Timestamp asc

Hunting Query for Carbon Black

(((((process_name:cmd.exe OR 
      process_name:wscript.exe OR 
      process_name:powershell.exe OR 
      process_name:rundll32.exe OR 
      process_name:mshta.exe) 
    AND 
      (process_cmdline:.js OR 
       process_cmdline:.hta OR 
       process_cmdline:.bat OR 
       process_cmdline:.cmd OR 
       process_cmdline:.ps1 OR 
       process_cmdline:.vbs)) 
  OR 
    (parent_name:explorer.exe 
    AND 
      (process_cmdline:.iso OR 
       process_cmdline:.scr))) 
  AND 
    process_cmdline:AppData\\Local\\Microsoft\\Windows\\INetCache\\IE))

Hear all about the latest threat actor behaviors and practical detection strategies

Watch this episode of the Detection Dispatch, as Alex and Lee Archinal from Intel 471 to dive deep into 12 significant emerging threats observed in late 2024. Learn how to leverage Intel 471's hunting packages across major EDR platforms and understand the critical intersection between threat hunting and detection engineering.