Heimdal
article featured image

Contents:

Multiple government agencies and military bodies in the APAC region have been targeted by what appears to be a new advanced threat actor that uses custom malware.

Researchers refer to this group as Dark Pink (Group-IB) or Saaiwc Group (Anheng Hunting Labs), noting that it employs uncommon tactics, techniques, and procedures (TTP).

The actor used DLL side-loading and event-triggered execution methods to run the payloads on compromised systems using the custom toolkit observed in the attacks.

Security company Group-IB reports that the threat actor’s goal is to steal information from a victim’s browsers, access messengers, exfiltrate documents, and record audio from the infected device’s microphone.

Between June and December 2022, Dark Pink launched at least seven attacks.

Source

Initial Compromise

Its typical attack vector involves spear-phishing emails disguised as job applications, which trick victims into downloading a malicious ISO image file.

One of them used an all-inclusive ISO file containing a decoy document, a signed executable, and a malicious DLL file, resulting in the deployment of one of the two custom information stealers (Ctealer or Cucky) via DLL side-loading. Next, TelePowerBot would be dropped as a registry implant.

When a victim opens a Microsoft Office document (.DOC) within an ISO file, a template with a malicious macro is fetched from GitHub to load TelePowerBot and change Windows registry settings.

In December 2022, researchers observed a third attack chain similar to the first. However, instead of loading TelePowerBot, the malicious ISO file and DLL side-loading technique loaded another custom malware designed to read and execute commands called KamiKakaBot.

Source

Tailor – Made Malware

The custom info-stealers Cucky and Ctealer are written in .NET and C++, respectively. Both attempt to locate and extract passwords, browsing history, saved logins, and cookies from a long list of web browsers: Chrome, Microsoft Edge, CocCoc, Chromium, Brave, Atom, Uran, Sputnik, Slimjet, Epic Privacy, Amigo, Vivaldi, Kometa, Nichrome, Maxthon, Comodo Dragon, Avast Secure Browser, and Yandex Browser.

Source

During system boot, TelePowerBot launches via a script and connects to a Telegram channel to receive PowerShell commands.

When an infected device is infected, threat actors execute several standard commands to determine what network resources are connected (e.g., net share, Get-SmbShare). “If network disk usage is found, they will search this disk for files that may interest them and potentially exfiltrate them.

Source

Generally, these commands start with simple console tools or PowerShell scripts that enable lateral movement via USB removable drives.

The .NET version of TelePowerBot, KamiKakaBot, also steals data from Chrome-based and Firefox browsers.

Source

Dark Pink also records sound through the microphone every minute and saves it as a ZIP archive in the Windows temporary folder before exfiltrating it to Telegram.

Similarly, the threat actor utilizes a unique messenger exfiltration utility called ZMsg (downloadable from GitHub), which steals communications from Viber, Telegram, and Zalo and stores them on “%TEMP%KoVosRLvmU” until they are exfiltrated.

In a previous report, Dark Pink was tracked as Saaiwc Group by Chinese cybersecurity company Anheng Hunting Labs. In one of them, the actor exploited an old, high-severity vulnerability identified as CVE-2017-0199 by using a Microsoft Office template with malicious macro code.

According to Group-IB, Dark Pink is responsible for seven attacks, but the number could be higher.

It has notified all seven organizations of the threat actor’s compromise activity and will continue to monitor Dark Pink’s activities.

Heimdal Official Logo

DNS Security for Dummies

Learn More

An eBook that gives a comprehensive role-based security approach and addresses the numerous dangers to the Domain Name Systems (DNS) as cyberattacks increase globally.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.  

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE