Global cybersecurity firm Group-IB has released its findings on the Dark Pink advanced threat persistent threat (APT) campaign, revealing a new threat actor group targeting high-profile entities in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina.
Group-IB’s report has linked seven successful attacks to this campaign from June to December 2022, targeting military bodies, government ministries, religious organisations, and NGOs. Additionally, an unsuccessful attack on a European state development body based in Vietnam was noted.
Dark Pink’s modus operandi involves targeted spear-phishing emails as the initial access vector. The threat actors, utilising a custom toolkit, engage in corporate espionage, aiming to exfiltrate files, microphone audio, and messenger data from infected devices and networks.
To combat this threat, Group-IB has proactively notified potential and confirmed targets of Dark Pink, while their researchers continue to delve into the details of this APT campaign.
Group-IB has been unable to attribute Dark Pink’s campaign to any known threat actor, suggesting the emergence of an entirely new group, also referred to as the Saaiwc Grou by Chinese cybersecurity researchers at Anheng Hunting Labs. Notably, this APT group focuses on attacking military branches, government ministries and agencies.
As of December 2022, Dark Pink successfully breached the security defences of six organisations in five APAC countries and one organisation in Europe. The initial breach occurred in June 2022, targeting a religious organisation in Vietnam, and subsequent attacks targeted various military branches and government
The Dark Pink’s APT campaign showcases the group’s use of custom tools and sophisticated tactics, making significant contributions to its success over the past seven months.
The attack begins with targeted spear-phishing emails, with the threat actors crafting unique phishing emails relevant to the target organisation. The emails contain shortened URLs leading to a file-sharing site, offering the victim a download option for a malicious ISO file. The ISO file contains signed executable files, non-malicious decoy documents, and a malicious DLL file. Group-IB researchers identified three separate kill chains employed by Dark Pink highlighting their sophisticated approach.
Custom malware and stealers are key components of the group’s arsenal. Researchers found two custom modules, TelePowerBot and KamiKakaBot, designed to read and execute commands via a threat actor-controlled Telegram channel. Two custom stealers, Cucky and Ctealer, were developed to steal sensitive information from web browsers. A custom utility tool, ZMsg was also leveraged to exfiltrate data from messenger apps such as Zalo, Viber, and Telegram.