Attacks targeting government agencies and military bodies in multiple countries in the APAC region have been attributed to what appears to be a new advanced threat actor that leverages custom malware to steal confidential information.
Security researchers refer to this group as Dark Pink (Group-IB) or Saaiwc Group (Anheng Hunting Labs), noting that it employs uncommon tactics, techniques, and procedures (TTPs).
The custom toolkit observed in the attacks can be used to steal information and spread malware via USB drives. The actor used DLL side-loading and event-triggered execution methods to run its payloads on compromised systems.
A report published by cybersecurity company Group-IB says that the threat actor’s goal is to steal information from the victim’s browsers, gain access to messengers, exfiltrate documents, and capture audio from the infected device microphone.
Considered an advanced persistent threat (APT), Dark Pink has launched at least seven successful attacks between June and December 2022.
Initial compromise
Dark Pink’s typical initial attack vector is spear-phishing emails disguised as job applications, which tricked the victim into downloading a malicious ISO image file. Beyond this step, Group-IB saw multiple variations in the attack chain.
One of them used an all-inclusive ISO file storing a decoy document, a signed executable, and a malicious DLL file, which led to deploying one of the two custom information stealer used by the group (Ctealer or Cucky) via DLL side-loading. In the next stage, a registry implant called TelePowerBot would be dropped.
Another attack chain uses a Microsoft Office document (.DOC) inside an ISO file. When the victim opens the file, a template with a malicious macro is fetched from GitHub, tasked with loading TelePowerBot and perform Windows registry changes.
A third attack chain observed in December 2022 was identical to the first one. However, instead of loading TelePowerBot, the malicious ISO file and the DLL side-loading technique load another custom malware that researchers call KamiKakaBot, designed to read and execute commands.
Custom malware
Cucky and Ctealer are custom info-stealers written in .NET and C++, respectively. Both attempt to locate and extract passwords, browsing history, saved logins, and cookies from a long list of web browsers: Chrome, Microsoft Edge, CocCoc, Chromium, Brave, Atom, Uran, Sputnik, Slimjet, Epic Privacy, Amigo, Vivaldi, Kometa, Nichrome, Maxthon, Comodo Dragon, Avast Secure Browser, and Yandex Browser.
TelePowerBot is a registry implant that launches via a script at system boot and connects to a Telegram channel from where it receives PowerShell commands to execute.
“During infection, the threat actors execute several standard commands (e.g. net share, Get-SmbShare) to determine what network resources are connected to the infected device. If network disk usage is found, they will begin exploring this disk to find files that may be of interest to them and potentially exfiltrate them” – Group-IB
In general, the commands can start simple console tools or complex PowerShell scripts that enable lateral movement via USB removable drives.
KamiKakaBot is the .NET version of TelePowerBot, which also comes with information stealing capabilities, targeting data stored in Chrome-based and Firefox browsers.
In addition to these tools, Dark Pink also uses a script to record sound through the microphone every minute. The data is saved as a ZIP archive in the Windows temporary folder before it is exfiltrated to the Telegram bot.
Similarly, the threat actor uses a special messenger exfiltration utility named ZMsg, downloaded from GitHub. The utility steals communications from Viber, Telegram, and Zalo and stores them on “%TEMP%KoVosRLvmU” until they are exfiltrated.
A previous report from the Chinese cybersecurity company Anheng Hunting Labs, who track Dark Pink as Saaiwc Group, describes some attack chains and notes that in one of them the actor used a Microsoft Office template with malicious macro code to exploit an older, high-severity vulnerability identified as CVE-2017-0199.
Although Group-IB confirms with high confidence that Dark Pink is responsible for seven attacks, the researchers note that the number could be higher.
The company has informed all seven organizations of the threat actor’s compromise activity and will continue to track Dark Pink’s operations.
