South Asian government entities targeted by Dark Pink APT group using multiple KamiKakaBot malware

EclecticIQ researchers identified last month multiple KamiKakaBot malwares which are very likely used to target government entities in ASEAN (Association of Southeast Asian Nations) countries. The team assesses that the attacks were very likely carried out by the Dark Pink APT group. KamiKakaBot’s primary function is to steal data stored in web browsers such as Chrome, Edge, and Firefox, including saved credentials, browsing history, and cookies. Additionally, the hackers can gain initial access on infected devices to execute remote code.

Developers of KamiKakaBot employ various evasion techniques to remain undetected while executing malicious actions on infected devices. For example, they use Living-off-the-Land binaries (LOLBINs), such as MsBuild[dot]exe, to run the KamiKakaBot malware on victims’ devices, EclecticIQ Threat Research Team wrote in a blog post. “In this new campaign, the relationship between Europe and ASEAN countries is very likely being exploited in the form of social engineering lures against military and government entities in Southeast Asian nations,” they added.

The team also assessed that the result of the analysis showed that the threat actors are still utilizing the same adversary tactics, techniques, and procedures (TTPs) to deliver and execute the KamiKakaBot malware, with only small changes made to the obfuscation routine to increase the infection rate and evade anti-malware solutions.

“Based on the TTPs used in this campaign, EclecticIQ researchers strongly believe that the Dark Pink APT group is very likely a cyber espionage-motivated threat actor that specifically exploits relations between ASEAN and European nations to create phishing lures during the February 2023 campaign,” the team added. “Adversary techniques like DLL side loading and use of living of the land binaries are on the rise among different threat actors to avoid being detected during the infection chain.”

EclecticIQ researchers observed overlaps in malware delivery and adversary techniques between Earth Yako and Dark Pink threat groups, such as usage of Winword.exe for DLL Hijacking, the post added. “Although researchers lack the conclusive proof needed to attribute the nationality of this group, the objectives of the attackers and some of the patterns suggest that the Dark Pink group could possibly be a Chinese APT group.” 

These February attacks were almost identical to previous attacks reported by Group-IB on January 11, 2023, the EclecticIQ researchers said. “In January 2023, the threat actors used ISO images to deliver KamiKakaBot, which was executed using a DLL side-loading technique. The main difference in the February campaign is that the malware’s obfuscation routine has improved to better evade anti-malware measures. Multiple overlaps in this new campaign aided EclecticIQ analysts in attributing it very likely to the Dark Pink APT group,” they added.

At the time, Group-IB said that the Dark Pink hacker group launched seven successful attacks against high-profile targets between June and December last year. It also pointed to evidence that suggests that Dark Pink began operations as early as mid-2021, although the group’s activity surged in mid-to-late 2022. The bulk of the attacks were carried out against countries in the APAC region, although the threat actors spread their wings and targeted one European governmental ministry. The confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia, and Bosnia and Herzegovina, and a religious organization in Vietnam. 

EclecticIQ detailed that KamiKakaBot is delivered through phishing emails that contain a malicious ISO file as an attachment. The malicious ISO file contains a WinWord.exe which is legitimately signed by Microsoft, which is exploited for DLL side-loading technique. “When a user clicks on WinWord[dot]exe, the KamiKakaBot loader (MSVCR100[dot]dll), located in the same folder as the WinWord file, automatically loads and is executed into the memory of WinWord[dot]exe,” the researchers added.

The ISO file also contains a decoy Word document that has an XOR-encrypted section. The KamiKakaBot loader uses this section to decrypt the XOR-encrypted content from the decoy file then writes the decrypted XML KamiKakaBot payload into the disk (C:\Windows\temp) and executes it via a living-off-the-land binary called MsBuild[dot]exe.

Before the execution of the decrypted XML payload, KamiKakaBot loader writes a registry key into HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to abuse features of Winlogon (Windows component) for establishing persistent access.

EclecticIQ researchers said that the KamiKakaBot can extract sensitive information from Chrome, MS Edge, and Firefox web browsers. “The stolen browser data is then sent to attackers’ Telegram bot channel in a compressed ZIP format. Upon initial infection, the attacker can upgrade the malware or perform remote code execution on the targeted device, enabling them to carry out further post-exploitation activities. All of the command and control communication takes place via a Telegram bot controlled by the threat actor,” they added.

Furthermore, EclecticIQ researchers identified multiple ISO images that contained different decoy documents using phishing lures related to military or diplomacy in the ASEAN countries. Analysts assess the content of the decoy documents is designed to target government entities in ASEAN countries. 

“The KamiKakaBot loader is designed to load the KamiKakaBot malware as stealthily as possible by performing the DLL side loading technique and incorporating other anti-malware evasion tactics, such as payload encryption and the use of living-off-the-land binaries,” they added.

In the latest KamiKakaBot campaign, threat actors used DLL side loading technique to bypass anti-malware detection by loading the malware into the memory of Winword[dot]exe (legitimate Microsoft Office binary used for opening Word documents), according to the EclecticIQ post. “DLL side loading is not a new technique, as the search-order hijacking vulnerability in Windows has existed since Windows XP. Due to the default search order built into Windows, threat actors can abuse the legitimate and signed binaries to load the malicious DLL,” they added.

EclecticIQ researchers identified and analyzed new samples of [dot]NET written malware in a February 2023 campaign. The malware capabilities of KamiKakaBot include stealing web credentials and cookies from Web browsers, performing remote code execution over cmd[dot]exe, and storing the Telegram API key and URL in an encrypted format. A new version of KamiKakaBot uses an open-source [dot]NET obfuscation engine to hide from anti-malware solutions. After the successful infection, threat actors can update the malware itself. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.