Group-IB has found a new advanced persistence threat (APT) actor dubbed Dark Pink targeting government and armed forces in the Asia-Pacific region using custom malware. Group-IB researchers have attributed seven successful attacks to the APT between June and December 2022.

Confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam. An unnamed European state development body in Vietnam was also attacked but wasn’t compromised.

The group’s main goals are to conduct corporate espionage, steal documents, capture audio recordings from infected devices and extract messaging data. All these points to the possibility that it might be a state-sponsored actor.

Dark Pink APT is targeting governments and armed forces in APAC — *Dark Pink APT’s timeline and targets. | Source: Group-IB*

The report states that there isn’t enough data at the time of writing to attribute the group to a particular country. However, the target pool indicates that it could be in the Asia-Pacific region.

The group is still active at the time of writing, with its first activity being attributed to a Github account used by the attackers in mid-2021. The first attack, however, took place in June 2022. The final three months of 2022 were a busy time for the group, with four confirmed attacks being carried out.

In the News: Novel telecom network attacks can expose call metadata over 4G and 5G networks

Attacking with custom malware

The APT uses a custom toolkit featuring the TelePowerBot, KamiKakaBot, Cucky and Ctealer information stealers. The group also can infect the USB devices attached to a particular compromised machine, further spreading the malware. It can also gain access to any messengers on targeted machines.

This is done using two main techniques — DLL Side Loading and Event Triggered Execution: Change Default File Association. This is an interesting mix of tactics as while DLL Side Loading is a rather common attack vector, not many APTs and malware campaigns use Event Triggered Execution in the wild.

DLL Side Loading is used to avoid detection during initial access. Afterwards, Event Triggered Execution: Change Default File Association is used to launch the TelePowerBot malware.

The initial attack vector is targeted spear-phishing emails where the threat actors pose as job applicants to the targeted agency. Evidence suggests that threat actors scanned job vacancy portals and made unique email addresses for victims looking to fill said vacancies.

A set of custom PowerShell scripts was also discovered to facilitate communication between the victims’ and threat actors’ infrastructure. These scripts also help with lateral movement and recon once within the victim’s network. Finally, all the communication between the infected infrastructure is reportedly based on the Telegram API.

In the News: Meta further limits advertisements shown to teens on its platforms

Yadullah Abidi

Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars.

You can contact him here: [email protected]

Dark Pink APT is targeting governments and armed forces in APAC

Attacking with custom malware

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

We may earn a commission if you buy something from a link on this page. Thanks for your support.

You can read our Ethics Statement here.

You can also support our Editorial Team here.

Read more from Candid.Technology

How to uninstall League of Legends?

How to show FPS and Ping in Fortnite?

Apple rolls out iOS 13.3.1 with enhanced control over location services

Windows PrintNightmare vulnerability is being actively exploited

6 ways to fix YouTube server error 503

What is LSData? Is it safe?

How to unlock the camera in League of Legends?

Tech Made Simpler