Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Sophisticated ‘Dark Pink’ APT Targets Government, Military Organizations

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and Europe.

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and Europe.

Referred to as Dark Pink, the threat actor was seen launching seven successful attacks against high-profile targets since June 2022, but it appears to have been active since at least mid-2021, based on the activity associated with a GitHub account.

Between June and December 2022, Dark Pink successfully breached military and government agencies, a religious organization, and a non-profit organization. The targets were located in Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, the Philippines, and Vietnam.

During the same period, the hacking group also launched a cyberattack against a European state development agency based in Vietnam.

The tactics, techniques, and procedures (TTPs) used by the threat actor are “rarely utilized by previously known APT groups”, such as the execution of malware triggered by a file type association, in addition to DLL sideloading.

Dark Pink uses PowerShell scripts and custom information stealers (Cucky and Ctealer) and trojans (KamiKakaBot and TelePowerBot), can infect USB drives connected to the victim’s machine, and relies on the Telegram API for communication with the infected devices.

“Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers,” Group-IB notes.

The hacking group uses job application-themed spear-phishing emails containing a shortened link, luring victims into downloading a malicious ISO image. The APT appears to be scanning online job vacancy portals for relevant information to include in the tailored emails sent to victims.

The malicious ISO images appear tailored for each victim, containing a signed executable, a decoy document, and a malicious DLL file. The executable poses as a Word document containing the applicant’s resume, but is meant to load the malicious DLL.

Group-IB identified three different execution chains employed by Dark Pink, where the malicious DLL is sideloaded to execute TelePowerBot or KamiKakaBot – along with the Ctealer or Cucky information stealers – and to ensure persistence.

Following the initial compromise, Dark Pink proceeds to harvest information (system data, browser data, installed applications, and connected USB drives and network shares) and to move laterally on the network.

The attackers also register a new WMI event handler, so that a malware dropper is placed on any USB drive that the victim connects to the system. The necessary files are fetched from the threat actors’ GitHub account, and LNK files (named the same as the user’s folders) are placed on the USB drive.

The data harvested by Dark Pink’s malware is exfiltrated in ZIP archives to the attackers’ Telegram bot or via Dropbox.

The APT also leverages several techniques to bypass User Account Control (UAC) and modify Windows Defender settings, and was also seen using the publicly available PowerSploit module Get-MicrophoneAudio to record the microphone audio on infected devices.

Related: New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia

Related: Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine

Related: Iran-Linked OilRig APT Caught Using New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona