Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Sophisticated ‘Dark Pink’ APT Targets Government, Military Organizations

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and Europe.

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and Europe.

Referred to as Dark Pink, the threat actor was seen launching seven successful attacks against high-profile targets since June 2022, but it appears to have been active since at least mid-2021, based on the activity associated with a GitHub account.

Between June and December 2022, Dark Pink successfully breached military and government agencies, a religious organization, and a non-profit organization. The targets were located in Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, the Philippines, and Vietnam.

During the same period, the hacking group also launched a cyberattack against a European state development agency based in Vietnam.

The tactics, techniques, and procedures (TTPs) used by the threat actor are “rarely utilized by previously known APT groups”, such as the execution of malware triggered by a file type association, in addition to DLL sideloading.

Dark Pink uses PowerShell scripts and custom information stealers (Cucky and Ctealer) and trojans (KamiKakaBot and TelePowerBot), can infect USB drives connected to the victim’s machine, and relies on the Telegram API for communication with the infected devices.

“Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers,” Group-IB notes.

The hacking group uses job application-themed spear-phishing emails containing a shortened link, luring victims into downloading a malicious ISO image. The APT appears to be scanning online job vacancy portals for relevant information to include in the tailored emails sent to victims.

Advertisement. Scroll to continue reading.

The malicious ISO images appear tailored for each victim, containing a signed executable, a decoy document, and a malicious DLL file. The executable poses as a Word document containing the applicant’s resume, but is meant to load the malicious DLL.

Group-IB identified three different execution chains employed by Dark Pink, where the malicious DLL is sideloaded to execute TelePowerBot or KamiKakaBot – along with the Ctealer or Cucky information stealers – and to ensure persistence.

Following the initial compromise, Dark Pink proceeds to harvest information (system data, browser data, installed applications, and connected USB drives and network shares) and to move laterally on the network.

The attackers also register a new WMI event handler, so that a malware dropper is placed on any USB drive that the victim connects to the system. The necessary files are fetched from the threat actors’ GitHub account, and LNK files (named the same as the user’s folders) are placed on the USB drive.

The data harvested by Dark Pink’s malware is exfiltrated in ZIP archives to the attackers’ Telegram bot or via Dropbox.

The APT also leverages several techniques to bypass User Account Control (UAC) and modify Windows Defender settings, and was also seen using the publicly available PowerSploit module Get-MicrophoneAudio to record the microphone audio on infected devices.

Related: New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia

Related: Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine

Related: Iran-Linked OilRig APT Caught Using New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights