Dark Pink APT group targets military bodies, government, development agencies across APAC region

Dark Pink APT group targets military bodies, government, development agencies across APAC region

Group-IB research disclosed Tuesday details of a new wave of APT (advanced persistent threat) attacks, which it has named Dark Pink, primarily targeting installations in the APAC region. The hacker group launched seven successful attacks against high-profile targets between June and December last year. At present, Group-IB cannot attribute the campaign to any known threat actor, making it highly likely that Dark Pink is an entirely new APT group. 

“There is evidence to suggest that Dark Pink began operations as early as mid-2021, although the group’s activity surged in mid-to-late 2022. To date, Group-IB’s sector-leading Threat Intelligence uncovered seven confirmed attacks by Dark Pink,” Andrey Polovinkin, malware analyst at Group-IB, wrote in a blog post. “The bulk of the attacks were carried out against countries in the APAC region, although the threat actors spread their wings and targeted one European governmental ministry. The confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia, and Bosnia and Herzegovina, and a religious organization in Vietnam. Group-IB also became aware of an unsuccessful attack on a European state development agency based in Vietnam.” 

Polovinkin added that in line with Group-IB’s zero-tolerance policy to cybercrime, confirmed and potential victims of Dark Pink were issued proactive notifications, and “we note that the list of companies breached by this particular APT group is likely to be longer.” The APT group has also been termed Saaiwc Group by Chinese cybersecurity researchers.

“At the time of writing, Dark Pink is still active. Given the fact that many of the attacks identified by Group-IB researchers took place in the final months of 2022, Group-IB researchers are still in the process of identifying the full scope of the APT attack, and efforts to uncover the origin of this APT group are in process,” according to Polovinkin. “However, we believe that this preliminary research, which will be of great interest to CISO, heads of cybersecurity teams, SOC analysts, and incident response specialists, will go a long way to raising awareness of the new TTPs utilized by this threat actor and help organizations to take the relevant steps to protect themselves from a potentially devastating APT attack.” 

Group-IB’s early research into Dark Pink has revealed that these threat actors are leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups, Polovinkin wrote. “They leverage a custom toolkit, featuring TelePowerBot, KamiKakaBot, and Cucky and Ctealer information stealers (all names dubbed by Group-IB) with the aim of stealing confidential documentation held on the networks of government and military organizations.” 

Polovinkin highlighted Dark Pink’s ability to infect even the USB devices attached to compromised computers, and also its ability to gain access to messengers on infected machines. “Furthermore, Dark Pink threat actors utilize two core techniques: DLL Side-Loading and executing malicious content triggered by a file type association (Event Triggered Execution: Change Default File Association). The latter of these tactics is one rarely seen utilized in the wild by threat actors,” he added.

Group-IB disclosed that Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers. The APT group’s core initial vector was targeted spear-phishing emails that saw the threat actors pose as job applicants. There was evidence to suggest that the threat actors behind Dark Pink scanned online job vacancy portals and crafted unique emails to victims that were advertising vacancies.

“Almost all the tools leveraged by the threat actors were custom and self-made, including TelePowerBot and KamiKakaBot, along with the Cucky and Ctealer stealers. During our investigation, we noticed only one public tool: ‘PowerSploit/Get-MicrophoneAudio,’” the post identified. “The threat actors created a set of PowerShell scripts to carry out communication between victim and threat actors’ infrastructure, facilitate lateral movement and network reconnaissance. All communication between infected infrastructure and the threat actors behind Dark Pink is based on Telegram API,” it added.

The attacks executed by the Dark Pink APT group have been advanced in every sense of the word. They have utilized a sophisticated mixture of custom tools to breach the defenses of multiple government and military organizations. The first attack Group-IB analysts were able to attribute to this APT group was registered with a religious organization in Vietnam in June 2022. However, they appear to have been active well before that, as Group-IB researchers identified a Github account used by these threat actors which showed activity dating back to mid-2021. 

“According to our research, the malware initialized by the threat actors can issue commands for an infected machine to download modules from this particular Github account,” Polovinkin wrote. “Interestingly, the threat actors appeared to use only one Github account for the entire duration of the campaign to date, which could suggest that they have been able to operate without detection for a significant period of time.”

Following the June 2022 attack, Group-IB researchers were unable to attribute any other malicious activity to Dark Pink. “However, this APT group burst into life towards the end of the summer, when Group-IB noticed an attack on a Vietnamese non-profit organization in August 2022 bearing all the hallmarks of the June attack,” the post added. 

From then, Group-IB was able to attribute one attack in September, two attacks (one successful, one unsuccessful) in October, two in November, and one in December. Most recently, Group-IB discovered that Dark Pink was able to breach an Indonesian governmental organization on Dec. 8, 2022.

Polovinkin concluded that while APT groups come and go, the preliminary findings of Group-IB’s research into Dark Pink APT demonstrate how threat actors can change course, leverage new TTPs, and achieve devastating results. “The threat actors behind Dark Pink were able, with the assistance of their custom toolkit, to breach the defenses of governmental and military bodies in a range of countries in the APAC and European regions. Dark Pink’s campaign once again underlines the massive dangers that spear-phishing campaigns pose for organizations, as even highly advanced threat actors use this vector to gain access to networks, and we recommend that organizations continue to educate their personnel on how to detect these sorts of emails,” he added.

At this stage, Group-IB researchers can confidently say that Dark Pink was behind the successful breaches of at least seven organizations, although we believe that this number could be higher. “In line with Group-IB’s zero-tolerance policy to cybercrime, our analysts will continue their diligent efforts to uncover Dark Pink’s origin and work to uncover more of the unique or peculiar TTPs utilized by this group. We will continue to issue proactive notifications to any organization we find to have been breached by this particular threat group,” Polovinkin added.

In November, Trend Micro researchers disclosed that they have been monitoring a wave of spearphishing attacks targeting the government, academic, foundations, and research sectors globally. Based on the lure documents observed in the wild, the researchers reveal large-scale cyberespionage activities of APT group Earth Preta, observed in large-scale attack deployments that began in March.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related