Multiple government agencies and military bodies in the APAC region have been targeted by what appears to be a new advanced threat actor that uses custom malware. Researchers refer to this group as Dark Pink (Group-IB) or Saaiwc Group (Anheng Hunting Labs), noting that it employs uncommon tactics, techniques, and procedures (TTP).[1] The actor used DLL side-loading and event-triggered execution methods to run the payloads on compromised systems using the custom toolkit observed in the attacks.
Security company Group-IB reports that the threat actor’s goal is to steal information from a victim’s browsers, access messengers, exfiltrate documents, and record audio from the infected device’s microphone. Between June and December 2022, Dark Pink launched at least seven attacks.
Its typical attack vector involves spear-phishing emails disguised as job applications, which trick victims into downloading a malicious ISO image file. One of them used an all-inclusive ISO file containing a decoy document, a signed executable, and a malicious DLL file, resulting in the deployment of one of the two custom information stealers (Ctealer or Cucky) via DLL side-loading. Next, TelePowerBot would be dropped as a registry implant.
When a victim opens a Microsoft Office document (.DOC) within an ISO file, a template with a malicious macro is fetched from GitHub to load TelePowerBot and change Windows registry settings.
In December 2022, researchers observed a third attack chain similar to the first. However, instead of loading TelePowerBot, the malicious ISO file and DLL side-loading technique loaded another custom malware designed to read and execute commands called KamiKakaBot.
The custom info-stealers Cucky and Ctealer are written in .NET and C++, respectively. Both attempt to locate and extract passwords, browsing history, saved logins, and cookies from a long list of web browsers: Chrome, Microsoft Edge, CocCoc, Chromium, Brave, Atom, Uran, Sputnik, Slimjet, Epic Privacy, Amigo, Vivaldi, Kometa, Nichrome, Maxthon, Comodo Dragon, Avast Secure Browser, and Yandex Browser.
During system boot, TelePowerBot launches via a script and connects to a Telegram channel to receive PowerShell commands. Threat actors execute several standard commands when an infected device is infected to determine what network resources are connected (e.g., net share, Get-SmbShare). “If network disk usage is found, they will search this disk for files that may interest them and potentially exfiltrate them.
Generally, these commands start with simple console tools or PowerShell scripts that enable lateral movement via USB removable drives. The .NET version of TelePowerBot, KamiKakaBot, also steals data from Chrome-based and Firefox browsers.
Dark Pink also records sound through the microphone every minute and saves it as a ZIP archive in the Windows temporary folder before exfiltrating it to Telegram. Similarly, the threat actor utilizes a unique messenger exfiltration utility called ZMsg (downloadable from GitHub), which steals communications from Viber, Telegram, and Zalo and stores them on “%TEMP%KoVosRLvmU” until they are exfiltrated.
In a previous report, Dark Pink was tracked as Saaiwc Group by Chinese cybersecurity company Anheng Hunting Labs. In one of them, the actor exploited an old, high-severity vulnerability identified as CVE-2017-0199 by using a Microsoft Office template with malicious macro code. According to Group-IB, Dark Pink is responsible for seven attacks, but the number could be higher. It has notified all seven organizations of the threat actor’s compromise activity and will continue to monitor Dark Pink’s activities.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://heimdalsecurity.com/blog/apt-group-dark-pink-doubles-down-on-government-and-military-targets-with-custom-malware/
Comments