Group-IB continues to track APT Dark Pink (aka Saaiwc Group), linking it to five new attacks on educational, government, military and non-profit organizations in Belgium, Brunei, Indonesia, Thailand and Vietnam between February 2022 and April 2023.
APT, believed to be of Asian-Pacific origin, is known to target targets primarily located in East Asia and, to a lesser extent, Europe, relying on spear phishing and ISO archives, as well as a suite of malicious tools: TelePowerBot and KamiKakaBot.
In recent campaigns, Dark Pink has demonstrated an updated attack chain, implemented various persistence mechanisms, and deployed new data exfiltration tools, likely trying to avoid detection by distancing its operations from public IoCs.
The new element is that the attackers have now split the functions of KamiKakaBot into two parts, namely device control and data theft. Also, the implant is now loaded from memory, leaving no trace on the disk.
Group-IB researchers have discovered that Dark Pink uses a GitHub repository to host additional modules loaded by its malware onto compromised systems.
The attackers made only 12 commits to this repository during 2023, mostly to add or update droppers, PowerShell scripts, the ZMsg information stealer, and the Netlua privilege escalation tool.
In addition, Dark Pink implements a variety of data exfiltration methods that go beyond sending ZIP archives to Telegram channels.
In some cases, the attackers used DropBox, and in others they used HTTP exfiltration using a temporary endpoint created using the ” Webhook.site ” service or Windows servers.
Another noteworthy aspect is the use of a Microsoft Excel add-in to ensure that the TelePowerBot persists on the infected host.
Based on the artifacts studied, the researchers suspect that the victimological trail of the hacker team may be wider than previously thought. After all, ART carefully selects its targets and reduces the number of attacks to a minimum in order to reduce the likelihood of exposure.
Group-IB believes that since the previous exposure, Dark Pink has not curtailed its activity, but only continued to update its toolkit and TTPs, implementing all new campaigns.
https://www.group-ib.com/blog/dark-pink-episode-2/
