Full Report
Water Hydra group (AKA DarkCasino), whose activity was first detected in 2021, is known for their cyberattacks targeting the financial industry globally, including banks, cryptocurrency platforms, and gambling sites. Initially confused with the Evilnum APT group, Water Hydra w...
Analysis Summary
# Threat Actor: Water Hydra
## Attribution & Identity
* **Actor Identification:** Water Hydra group
* **Aliases:** DarkCasino
* **Associated Groups:** Initially confused with the Evilnum APT group, but recognized as a distinct entity by November 2023.
## Activity Summary
Water Hydra has been active since 2021 and conducts cyberattacks primarily against the financial industry worldwide. Recent activity highlighted involvement in a new campaign exploiting the **CVE-2024-21412** vulnerability in Windows SmartScreen to deliver malware. Previously, they were noted for using a WinRAR vulnerability (**CVE-2023-38831**) in attacks targeting stock traders.
## Tactics, Techniques & Procedures
- Exploiting 1-day and 0-day vulnerabilities for initial access and end-user compromise.
- Utilizing spearphishing campaigns.
- Distributing malicious files disguised as images via `.url` files to bypass security controls.
- Leveraging compromised websites to host malicious links.
- Observations indicate data exfiltration as an objective impact.
- **Observed Techniques:** Phishing, Vulnerability exploitation.
- **Targeted Technologies:** Windows SmartScreen, Windows Defender.
## Targeting
* **Sectors:** Financial Industry (banks, cryptocurrency platforms, gambling sites, and stock traders).
* **Geography:** Global.
* **Victims:** Stock traders are specifically mentioned as previous targets.
## Tools & Infrastructure
* **Malware Families Used:** DarkMe.
* **Infrastructure:** Distribution leveraged malicious links hosted on compromised websites, delivered through spearphishing on forums and stock trading Telegram channels.
## Implications
Water Hydra demonstrates an ability to rapidly incorporate newly available or recently patched vulnerabilities (like CVE-2024-21412) into their established playbook, allowing them to bypass modern endpoint security protections like Windows SmartScreen during initial compromise against high-value financial sector targets.
## Mitigations
- Ensure prompt patching for known vulnerabilities, particularly those affecting client-side processors like Microsoft SmartScreen (e.g., applying mitigations for CVE-2024-21412).
- Educate end-users on identifying and avoiding suspicious URLs and files distributed via social engineering vectors (forums, Telegram).
- Implement enhanced controls for file execution following downloads, especially for non-standard file types being masqueraded (e.g., `.url` files).