A string of cyber-attacks targeting government and military entities in the APAC region have been attributed to a new APT group, tracked as both Dark Pink and Saaiwc Group. Security researchers at Group-IB indicate that the actor’s goals are to steal browser information, gain messenger access, exfiltrate documents, and capture audio data from the microphone. Dark Pink has launched at least seven successful attacks since June 2022, including attacks on military organizations in Malaysia and the Philippines, government organizations in Cambodia and Indonesia, and a religious organization in Vietnam, among others.
Dark Pink achieves initial access using an ISO attachment in a phishing email masquerading as a job application. After this initial compromise, the group differs its attack chain depending on the target. Group-IB observed multiple variations in the attack chain including:
- An ISO file storing a decoy document, a signed executable, and a malicious DLL file that deployed two custom information stealers (Ctealer/Cucky) via DLL side-loading. In the next stage, a registry implant known as TelePower Bot is dropped.
- A DOC file containing a template that fetches a malicious macro from GitHub that is inside an ISO file. The malicious macro is tasked with loading TelePower Bot and performing registry changes
- An attack chain that is identical to the first but used the custom malware “KamiKakaBot” rather than TelePowerBot.
Cucky and Ctealer are custom information stealers that are written in .NET and C++, respectively. Both have the same use – locating and extracting passwords, browsing history, saved logins, and cookies from a long list of different web browsers. TelePowerBot is a registry implant that launces via a script at system boot that allows for the remote execution of PowerShell commands via a Telegram channel. KamiKakaBot is the .NET version of TelePowerBot, with additional information-stealing features such as stealing data from Firefox and Chrome-based browsers. The group also makes use of an unnamed script that records sound through the microphone every minute, a messenger exfiltration tool known as ZMsg, and exploits for several vulnerabilities.