Pink APT Group: Malware Threat Spotlight

A new advanced threat actor, Dark Pink APT by Group-IB and Saaiwc Group by Anheng Hunting Labs, has been identified as the source of attacks on government agencies and military bodies across multiple countries in the APAC region. This group utilizes custom malware to steal confidential information and employs uncommon tactics, techniques, and procedures. Security researchers have observed using a custom toolkit that allows for information theft and malware spread through USB drives. The actor employs DLL side-loading and event-triggered execution methods to run its payloads on compromised systems.

Cybersecurity company Group-IB published a report indicating that the threat actor known as Dark Pink aims to steal information from the victim’s browsers, gain access to messengers, exfiltrate documents, and capture audio from the infected device microphone. This group of hackers is considered an advanced persistent threat (APT) because of their ability to launch successful attacks over a prolonged period. Group-IB reported that Dark Pink successfully launched at least seven attacks between June and December 2022. This highlights the importance of constantly monitoring and protecting against APT attacks, as they can cause severe damage to both individuals and organizations.

Initial compromise – Dark Pink APT

Dark Pink typically launches attacks by sending spear-phishing emails disguised as job applications to trick victims into downloading a malicious ISO image file. However, Group-IB has identified multiple variations in the group’s attack chain.

One variation includes an all-inclusive ISO file that contains a decoy document, a signed executable, and a malicious DLL file. This leads to deploying one of the group’s custom information stealers, Ctealer or Cucky, through DLL side-loading. In the next stage, the group drops a registry implant called TelePowerBot.

Another attack chain uses a Microsoft Office document (.DOC) inside an ISO file. When the victim opens the file, it fetches a template with a malicious macro from GitHub. This macro is tasked with loading TelePowerBot and making Windows registry changes.

In December 2022, researchers observed a third attack chain closely resembling the first. However, instead of utilizing the TelePowerBot malware, the attackers employed a different custom malware known as KamiKakaBot. This malware was loaded onto the victim’s device using a malicious ISO file and the DLL side-loading technique. KamiKakaBot was specifically designed to read and execute commands, allowing attackers to carry out malicious activities on the infected device.

Custom Malware

Cucky and Ctealer are malicious software programs designed to steal personal information from various web browsers. Both programs, written in .NET and C++, respectively, target sensitive information such as passwords, browsing history, saved logins, and cookies from a list of browsers, including Chrome, Microsoft Edge, CocCoc, Chromium, Brave, Atom, Uran, Sputnik, Slimjet, Epic Privacy, Amigo, Vivaldi, Kometa, Nichrome, Maxthon, Comodo Dragon, Avast Secure Browser, and Yandex Browser.

TelePowerBot, another harmful program, implants itself in the registry and launches automatically at system boot. Once activated, it connects to a Telegram channel where it receives commands from cybercriminals to execute using PowerShell. This allows them to gain unauthorized access to the infected device’s systems and data.

Group IB statement

“During infection, the threat actors execute several standard commands (e.g., net share, Get-SmbShare) to determine the network resources connected to the infected device. If network disk usage is found, they will begin exploring this disk to find files that may interest them and potentially exfiltrate them” – Group-IB.

A new advanced threat actor, Dark Pink by Group-IB and Saaiwc Group by Anheng Hunting Labs, has been identified as the source of attacks on government agencies and military bodies across multiple countries in the APAC region. This group utilizes custom malware to steal confidential information and employs uncommon tactics, techniques, and procedures. Security researchers have observed using a custom toolkit that allows for information theft and malware spread through USB drives. The actor employs DLL side-loading and event-triggered execution methods to run its payloads on compromised systems.

Cybersecurity company Group-IB published a report indicating that the threat actor known as Dark Pink aims to steal information from the victim’s browsers, gain access to messengers, exfiltrate documents, and capture audio from the infected device microphone. This group of hackers is considered an advanced persistent threat (APT) because of their ability to launch successful attacks over a prolonged period. Group-IB reported that Dark Pink successfully launched at least seven attacks between June and December 2022. This highlights the importance of constantly monitoring and protecting against APT attacks, as they can cause severe damage to both individuals and organizations.

Initial Compromise

Dark Pink typically launches attacks by sending spear-phishing emails disguised as job applications to trick victims into downloading a malicious ISO image file. However, Group-IB has identified multiple variations in the group’s attack chain.

One variation includes an all-inclusive ISO file that contains a decoy document, a signed executable, and a malicious DLL file. This leads to deploying one of the group’s custom information stealers, Ctealer or Cucky, through DLL side-loading. In the next stage, the group drops a registry implant called TelePowerBot.

Another attack chain uses a Microsoft Office document (.DOC) inside an ISO file. When the victim opens the file, it fetches a template with a malicious macro from GitHub. This macro is tasked with loading TelePowerBot and making Windows registry changes.

In December 2022, researchers observed a third attack chain closely resembling the first. However, instead of utilizing the TelePowerBot malware, the attackers employed a different custom malware known as KamiKakaBot. This malware was loaded onto the victim’s device using a malicious ISO file and the DLL side-loading technique. KamiKakaBot was specifically designed to read and execute commands, allowing attackers to carry out malicious activities on the infected device.

Custom malware

Cucky and Ctealer are malicious software programs designed to steal personal information from various web browsers. Both programs, written in .NET and C++, respectively, target sensitive information. This may include passwords, browsing history, saved logins, and cookies from a list of browsers.

TelePowerBot, another harmful program, implants itself in the registry and launches automatically at system boot. Once activated, it connects to a Telegram channel where it receives commands from cybercriminals to execute using PowerShell. This allows them to gain unauthorized access to the infected device’s systems and data.

Group IB report on Pink APT

“During infection, the threat actors execute several standard commands (e.g., net share, Get-SmbShare) to determine the network resources connected to the infected device. If network disk usage is found, they will begin exploring this disk to find files that may interest them and potentially exfiltrate them” – Group-IB.

The commands available with KamiKakaBot can launch simple console tools or intricate PowerShell scripts. These scripts enable lateral movement through the use of USB removable drives. KamiKakaBot, a .NET version of TelePowerBot, also possesses information-stealing capabilities. It targets data stored in Chrome-based and Firefox browsers, making it a powerful tool for cyber attackers.