Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and Europe.
Referred to as Dark Pink, the threat actor was seen launching seven successful attacks against high-profile targets since June 2022, but it appears to have been active since at least mid-2021, based on the activity associated with a GitHub account.
Between June and December 2022, Dark Pink successfully breached military and government agencies, a religious organization, and a non-profit organization. The targets were located in Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, the Philippines, and Vietnam.
During the same period, the hacking group also launched a cyberattack against a European state development agency based in Vietnam.
The tactics, techniques, and procedures (TTPs) used by the threat actor are “rarely utilized by previously known APT groups”, such as the execution of malware triggered by a file type association, in addition to DLL sideloading.
Dark Pink uses PowerShell scripts and custom information stealers (Cucky and Ctealer) and trojans (KamiKakaBot and TelePowerBot), can infect USB drives connected to the victim’s machine, and relies on the Telegram API for communication with the infected devices.
“Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers,” Group-IB notes.
The hacking group uses job application-themed spear-phishing emails containing a shortened link, luring victims into downloading a malicious ISO image. The APT appears to be scanning online job vacancy portals for relevant information to include in the tailored emails sent to victims.
The malicious ISO images appear tailored for each victim, containing a signed executable, a decoy document, and a malicious DLL file. The executable poses as a Word document containing the applicant’s resume, but is meant to load the malicious DLL.
Group-IB identified three different execution chains employed by Dark Pink, where the malicious DLL is sideloaded to execute TelePowerBot or KamiKakaBot – along with the Ctealer or Cucky information stealers – and to ensure persistence.
Following the initial compromise, Dark Pink proceeds to harvest information (system data, browser data, installed applications, and connected USB drives and network shares) and to move laterally on the network.
The attackers also register a new WMI event handler, so that a malware dropper is placed on any USB drive that the victim connects to the system. The necessary files are fetched from the threat actors’ GitHub account, and LNK files (named the same as the user’s folders) are placed on the USB drive.
The data harvested by Dark Pink’s malware is exfiltrated in ZIP archives to the attackers’ Telegram bot or via Dropbox.
The APT also leverages several techniques to bypass User Account Control (UAC) and modify Windows Defender settings, and was also seen using the publicly available PowerSploit module Get-MicrophoneAudio to record the microphone audio on infected devices.