A string of cyber-attacks targeting government and military entities in the APAC region have been attributed to a new APT group, tracked as both Dark Pink and Saaiwc Group. Security researchers at Group-IB indicate that the actor’s goals are to steal browser information, gain messenger access, exfiltrate documents, and capture audio data from the microphone. Dark Pink has launched at least seven successful attacks since June 2022, including attacks on military organizations in Malaysia and the Philippines, government organizations in Cambodia and Indonesia, and a religious organization in Vietnam, among others.
Dark Pink achieves initial access using an ISO attachment in a phishing email masquerading as a job application. After this initial compromise, the group differs its attack chain depending on the target. Group-IB observed multiple variations in the attack chain including:
- An ISO file storing a decoy document, a signed executable, and a malicious DLL file that deployed two custom information stealers (Ctealer/Cucky) via DLL side-loading. In the next stage, a registry implant known as TelePower Bot is dropped.
- A DOC file containing a template that fetches a malicious macro from GitHub that is inside an ISO file. The malicious macro is tasked with loading TelePower Bot and performing registry changes
- An attack chain that is identical to the first but used the custom malware “KamiKakaBot” rather than TelePowerBot.
Cucky and Ctealer are custom information stealers that are written in .NET and C++, respectively. Both have the same use – locating and extracting passwords, browsing history, saved logins, and cookies from a long list of different web browsers. TelePowerBot is a registry implant that launces via a script at system boot that allows for the remote execution of PowerShell commands via a Telegram channel. KamiKakaBot is the .NET version of TelePowerBot, with additional information-stealing features such as stealing data from Firefox and Chrome-based browsers. The group also makes use of an unnamed script that records sound through the microphone every minute, a messenger exfiltration tool known as ZMsg, and exploits for several vulnerabilities.
While this threat actor has been seen making use of custom malware, Dark Pink, like most threat actors, is still relying on phishing to gain their initial access into an environment. Phishing is one of the most prominent tactics used by threat actors, with the frequency and volume of phishing-related attacks on the rise every year. To protect against phishing, it is recommended to provide sufficient user training and education, as well as implementing an email security solution to monitor emails. Potential rules could include monitoring any emails that have a domain listed in a reliable threat feed or a suspicious top-level domain. However, there are numerous other ways that an enterprise could detect a threat actor such as this. Potential solutions include monitoring ISO mounts, as well as limiting users who can mount ISO files, monitoring for any commands reaching out to external sites, and monitoring for attempts at reconnaissance or data exfiltration in other ways.