Group-IB Shares its Finding Pertaining to Dark Pink

Group-IB, one of the global cybersecurity leaders, has published its findings into Dark Pink, an ongoing advanced persistent threat (APT) campaign launched against high-profile targets in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina.

FREMONT, CA:Leading global cybersecurity firm Group-IB has revealed its findings about Dark Pink, an ongoing advanced persistent threat (APT) campaign targeting high-profile targets in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina that was believed to be launched.

Although the pool of victims may be much greater, Group-IBs Threat Intelligence has been able to associate seven successful attacks from June to December 2022 to this specific group. The targets included military institutions, government ministries and agencies, and religious and nonprofit groups. A failed attempt was made against a European state development organisation with a base in Vietnam.

According to Group-IB analysis, the Dark Pink campaign's initial access vector was targeted spear-phishing emails. The threat actors, who use an almost entirely custom toolkit, have corporate espionage as their primary objective as they try to exfiltrate files, microphone audio, and messenger data from infected devices and networks. Following its zero-tolerance policy for cybercrime, the company has proactively notified all possible and confirmed Dark Pink targets. The researchers are still analyzing every aspect of this particular APT campaign.

Group-IB is currently investigating to identify any known threat actor as the source of this campaign by making use of unique tools and a few uncommon methods and strategies. Owing to this, Organization-IB thinks that the Dark Pinks campaign in the second half of 2022 is the work of a brand-new threat actor group, also known as the Saaiwc Group by Chinese cybersecurity researchers.

This new APT group is renowned for concentrating specifically on hitting government ministries and agencies as well as military branches. The security defences of six enterprises in five APAC nations (Cambodia, Indonesia, Malaysia, Philippines, and Vietnam), as well as one firm in Europe (Bosnia and Herzegovina), were hacked by Dark Pink APT as of December 2022.

An attack on a religious organization in Vietnam was carried out successfully last June after threat actors gained access to its network. Until August 2022, when Group-IB investigators learned that the threat actors had acquired access to the network of a Vietnamese non-profit organisation, no more attacks traceable to Dark Pink were documented after this specific breach.

The Dark Pinks were more active during the latter four months of the year. Group-Threat IB's Intelligence Team discovered attacks on a Philippine military branch in September, a Malaysian military branch in October, two breaches in November that targeted government institutions in Bosnia and Herzegovina and Cambodia, and then an Indonesian government agency in early December. In addition, an October attack against a European state development agency situated in Vietnam was ineffective, according to Group-IBs Threat Intelligence.

Although Group-IB stated that the first Dark Pink breach occurred in June 2022, there are indications that the group may have been active as early as mid-2021.

Group-IB discovered that threat actors may instruct affected computers to download dangerous files from Github, resources that the threat actors themselves had posted, after infecting a device. It's interesting to note that during the whole APT operation to date, threat actors have uploaded malicious files using the same GitHub account, which may indicate that they were able to operate undetected for a considerable amount of time.

Dark Pink employs a variety of unique tools and advanced tactics, methods, and procedures (TTPs), which have greatly aided their attacks' success over the previous seven months. Their investigation into Dark Pink describes the entire victim journey, from initial infection to data exfiltration. The threat actors use specialised spear-phishing emails to start their attacks. In one unsuccessful attempt, Group-IB was able to track down the original email sent by the threat actors. The attackers in this case pretended to be job seekers looking for an internship in PR and communications. The threat actor claims in the email that they discovered the job opening on a jobseeker website, which may indicate that they search job boards and create a customised phishing email that is pertinent to the company they discover.

The malicious ISO files always contain three specific file types: a signed executable file, a non-malicious decoy document (some ISO files seen by Group-IB had more than one), and a malicious DLL file. The spear-phishing emails contain a shortened URL linking to a free-to-use file-sharing site, where the victim is given the option to download them. However, the functionality and content of these file types can vary, and Group-IB investigators discovered three distinct kill chains, highlighting the expertise of this specific APT group.

The threat actors pack all of the aforementioned files—including a malicious DLL—onto the ISO itself in the first kill chain Group-IB examined, and after mounting the ISO, the DLL is launched via the DLL Side-Loading attack.

After gaining initial access, the threat actors use Github to automatically download a template document that contains macro codes that are responsible for running the threat actors' malware. This is known as the second death chain. Lastly, the threat actors' most recent kill chain (in December 2022) sees the malware being launched with the help of an XML file that contains an MSBuild project and a task to run .NET code to launch their unique malware.

The unique malware and tricksters in the threat actor's toolbox serve to further emphasise how sophisticated Dark Pink's attacks are. They developed two unique modules that Group-IB termed TelePowerBot and KamiKakaBot. Both of these modules were written in.NET and PowerShell, respectively. These two pieces of malware are made to read and carry out commands from a Telegram channel that is under the control of a threat actor using a Telegram bot.

Researchers at Group-IB found that to avoid detection, threat actors used a variety of evasion techniques, such as Bypass User Account Control, on the devices they used to communicate with their victims. The threat actor also produced two unique stealers, known by Group-IB as Cucky and Ctealer. When opened on the victim's device, the thieves have access to cookies, history, logins, passwords, and more from numerous online browsers. The threat actors behind this campaign also created scripts that enabled them to propagate their malware across network shares and USB devices linked to the hacked computer.

The threat actors used a special tool called ZMsg, created by Group-IB, to steal data from the Zalo messenger on the victims' devices. Researchers discovered evidence that the APT group was also capable of stealing data from Telegram and Viber. The sole commercially available tool used by the threat actors was the publicly accessible PowerSploit module Get-MicrophoneAudio, which is downloaded from GitHub and installed on the victim's device. This module allowed the threat actors to collect audio input and later exfiltrate these recordings using their Telegram bot. The threat actors altered this module to ensure they could bypass antivirus technologies. The custom script that was added to this PowerSploit module was altered several times, according to Group-IB experts, following several failed efforts to record the microphone audio on infected devices.

Dark Pink used three distinct channels to steal data from victims: email, Dropbox, and Telegram. In reality, the moniker Dark Pink is a combination of two email addresses used by threat actors to exfiltrate data using the latter channel.

The analysis of Dark Pink by Group-IB is significant, as it describes a sophisticated APT campaign carried out by experienced threat actors. The threat that this specific group provides is evidenced by the employment of a toolkit that is nearly wholly custom, sophisticated evasion strategies, the threat actors' capacity to modify their malware to ensure optimum efficacy, and the profile of the targeted businesses.

Group-IB will keep track of and analyse both past and present Dark Pink attacks to identify the perpetrators of this operation.

The current campaign by Dark Pink APT is just one more illustration of how individuals’ interactions with spear-phishing emails can lead to the penetration of security defences in even the most secure businesses. Group-IB advises using products like its unique Business Email Protection to successfully combat this danger and prevent malicious emails from reaching employees' inboxes. Having said that, Group-IB exhorts businesses to promote a culture of cybersecurity and teach their staff members how to spot phishing emails. By arming them with the most recent information on new threats, the Group-IBs Threat Intelligence platform, which was at the forefront of the investigation into Dark Pink, may assist enterprises in strengthening their security posture.

One of the top solution providers for detecting and combating cyberattacks, identifying online fraud, probing into high-tech crimes, and safeguarding intellectual property is Group-IB, which has its headquarters in Singapore. Dubai, Singapore, and Europe are the locations of the company's Threat Intelligence and Research Centers (Amsterdam). Group-IB actively participates in international law enforcement organisations including INTERPOL and Europol's investigations conducted around the world. The Europol European Cybercrime Centres (EC3) Advisory Group on Internet Security, which was established to promote tighter collaboration between Europol and its top non-law enforcement partners, also includes Group-IB as a member.