Group-IB has found a new advanced persistence threat (APT) actor dubbed Dark Pink targeting government and armed forces in the Asia-Pacific region using custom malware. Group-IB researchers have attributed seven successful attacks to the APT between June and December 2022.
Confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam. An unnamed European state development body in Vietnam was also attacked but wasn’t compromised.
The group’s main goals are to conduct corporate espionage, steal documents, capture audio recordings from infected devices and extract messaging data. All these points to the possibility that it might be a state-sponsored actor.
The report states that there isn’t enough data at the time of writing to attribute the group to a particular country. However, the target pool indicates that it could be in the Asia-Pacific region.
The group is still active at the time of writing, with its first activity being attributed to a Github account used by the attackers in mid-2021. The first attack, however, took place in June 2022. The final three months of 2022 were a busy time for the group, with four confirmed attacks being carried out.
Attacking with custom malware
The APT uses a custom toolkit featuring the TelePowerBot, KamiKakaBot, Cucky and Ctealer information stealers. The group also can infect the USB devices attached to a particular compromised machine, further spreading the malware. It can also gain access to any messengers on targeted machines.
This is done using two main techniques — DLL Side Loading and Event Triggered Execution: Change Default File Association. This is an interesting mix of tactics as while DLL Side Loading is a rather common attack vector, not many APTs and malware campaigns use Event Triggered Execution in the wild.
DLL Side Loading is used to avoid detection during initial access. Afterwards, Event Triggered Execution: Change Default File Association is used to launch the TelePowerBot malware.
The initial attack vector is targeted spear-phishing emails where the threat actors pose as job applicants to the targeted agency. Evidence suggests that threat actors scanned job vacancy portals and made unique email addresses for victims looking to fill said vacancies.
A set of custom PowerShell scripts was also discovered to facilitate communication between the victims’ and threat actors’ infrastructure. These scripts also help with lateral movement and recon once within the victim’s network. Finally, all the communication between the infected infrastructure is reportedly based on the Telegram API.