Dark Pink APT Group ‘Very Likely’ Back in Action
Next-Generation Technologies & Secure Development , Threat Intelligence
Recently-Emerged Threat Actor Focuses on Asia Pacific Mihir Bagwe (MihirBagwe) • March 13, 2023 Image: Shutterstock
Cybersecurity researchers say they’ve almost certainly spotted traces of the recently-emerged advanced persistent threat group Dark Pink, now apparently attacking victims with a newly improved obfuscation routine to evade anti-malware measures.
See Also: Live Webinar | Defend Against Threats
Netherlands cybersecurity firm EclecticIQ says in February it identified a campaign using ISO images to deliver KamiKakaBot malware for stealing data stored in web browsers such saved credentials and cookies. The malware can also permit hackers to execute remote code.
Indicators from the February incidents were “almost identical” to the Dark Pink attack pattern Group-IB reported in January, EclecticIQ says. “Multiple overlaps” between the two campaigns led EclecticIQ researchers to conclude that the same threat actor is “very likely” behind the incidents.
Group-IB described Dark Pink as a threat group concentrating mainly on military and governmental agencies in the Asia Pacific region. It said evidence exists to suggest the threat group began operations as early as mid-2021, but that its activities surged during the second half of 2022. EclecticIQ says the group’s objectives and patterns suggest a connection with Chinese state hackers. Its campaign phishing lures include documents that exploit diplomatic relations between Southeast Asian nations and European countries. At least one lure tried to take advantage of warming relations between Indonesia and Norway by sending putative invitations from Oslo diplomats.
Among the almost identical indicators that EclecticIQ say match up with Group-IB’s indicators are execution of the KamiKakaBot through a DLL side-loading technique and use of the social media platform Telegram as command and control.
“The KamiKakaBot and loader is a generic malware type and it’s currently only used by Dark Pink,” write EclecticIQ researchers.
The new KamiKakaBot differs from the older version through an open-source .NET obfuscation engine to hide itself from anti-malware detection, EclecticIQ states.
Obfuscation itself isn’t new to KamiKakaBot since Group-IB researches notes that one version of the malware used highly obfuscated PowerShell commands sotred in base64 view in order to create a handler in the Windows operating system registry for the .abcd file extension created by the malware. The file extension belongs to KamiKakaBot’s core malware, a tool that establishes persistence and communicated with Telegram.
Another version of the KamiKakaBot uses a technique known as Template Injection to infect computers by embedding an ISO image in a Microsoft Word document. The antivirus evasion comes from not embedding malicious code within the Word document but instead infecting the machine by using macros containing several forms with field, which during execution are read and used by Windows to establish a value in the registry.