Dark Pink APT Group Targets Governments and Military in APAC Region

Government and military organizations in the Asia-Pacific region are being targeted by a previously unknown advanced persistent threat (APT) actor, per the latest research conducted by Albert Priego of Group-IB

Singapore-headquartered Group-IB, in a report shared with The Hacker News, said it’s tracking the ongoing campaign under the name Dark Pink and attributed seven successful attacks to the adversarial collective between June and December 2022.

The bulk of the attacks have singled out military bodies, government ministries and agencies, and religious and non-profit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina, with one unsuccessful intrusion reported against an unnamed European state development body based in Vietnam.

The threat actor is estimated to have commenced its operations way back in mid-2021, although the attacks ramped up only a year later using a never-before-seen custom toolkit designed to plunder valuable information from compromised networks.

“Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers,” Group-IB researcher Andrey Polovinkin said, describing the activity as a “highly complex APT campaign launched by seasoned threat actors.”

Group-IB told The Hacker News that there is not enough data to explicitly attribute the threat actor to a particular country, but noted that it’s likely of Asia-Pacific origin given the geolocation of identified victims.

In addition to its sophisticated malware arsenal, the group has been observed leveraging spear-phishing emails to initiate its attacks as well as Telegram API for command-and-control (C2) communications.

Also notable is the use of a single GitHub account for hosting malicious modules and which has been active since May 2021, suggesting that Dark Pink has been able to operate without getting detected for over 1.5 years.

The Dark Pink campaign further stands out for employing multiple infection chains, wherein the phishing messages contain a link to a booby-trapped ISO image file to activate the malware deployment process. In one instance, the adversary posed as a candidate applying for a PR internship.

It’s also suspected that the hacking crew may be trawling job boards in order to tailor their messages and increase the likelihood of success of their social engineering attacks.

The ultimate goal is to deploy TelePowerBot and KamiKakaBot, which are capable of executing commands sent via an actor-controlled Telegram bot, in addition to using bespoke tools like Ctealer and Cucky to siphon credentials and cookies from web browsers.

While Ctealer is written in C/C++, Cucky is a .NET program. Another custom malware is ZMsg, a .NET-based application that allows Dark Pink to harvest messages sent via messaging apps such as Telegram, Viver, and Zalo.

An alternate kill chain identified by Group-IB utilizes a decoy document included in the ISO file to retrieve a rogue macro-enabled template from GitHub, which, in turn, harbors TelePowerBot, a PowerShell script malware.

That’s not all. A third method spotted recently in December 2022 sees the launch of KamiKakaBot, a .NET version of TelePowerBot, with the help of an XML file containing an MSBuild project that’s located at the end of a Word document in encrypted view. The Word file is present in an ISO image sent to the victim in a spear-phishing email.

“The threat actors behind this wave of attacks were able to craft their tools in several programming languages, giving them flexibility as they attempted to breach defense infrastructure and gain persistence on victims’ networks,” Polovinkin explained.

A successful compromise is followed by reconnaissance, lateral movement, and data exfiltration activities, with the actor also using Dropbox and email in some cases to transmit files of interest. The malware, besides recording microphone audio via the Windows Steps Recorder tool, is tasked with taking screenshots and infecting attached USB disks to propagate TelePowerBot.

“The use of an almost entirely custom toolkit, advanced evasion techniques, the threat actors’ ability to rework their malware to ensure maximum effectiveness, and the profile of the targeted organizations demonstrate the threat that this particular group poses,” Polovinkin said.