Recently, MyCERT was informed of an APT attack that targeted several countries in the APAC region, particularly in the South East Asia region. The activity is possibly linked to the Threat Actor (TA), Dark Pink, the name given by Group-IB, generally associated with APT attacks. However, at the present, Group-IB cannot attribute the campaign to any known threat actor, making it highly likely that Dark Pink is an entirely new APT group. The name Dark Pink was coined based on some of the email addresses used by the threat actors during data exfiltration. The APT group has also been termed Saaiwc Group by Chinese cybersecurity researchers.
Dark Pink launched seven successful attacks against high-profile targets between June and December 2022. The victims are located in five APAC countries, namely Vietnam, Malaysia, Indonesia, Cambodia, Philippines and a European country, Bosnia and Herzegovina). Victims included military bodies, government and development agencies, religious organisations, and non-profit organisations. For instance, one unsuccessful attack was launched against a European state development agency based in Vietnam in October 2022. The Dark Pink APT timeline and targets are shown in Figure 1.
Figure 1 - Dark Pink APT timeline and targets
A successful attack will lead to corporate espionage, stealing or capturing documents, capturing the sound from infected devices' microphones, and exfiltrating messengers' data.
3.0 Techniques, Tactics and Procedures (TTP)
3.1 - Initial access
Dark Pink used spear-phishing emails to gain initial access to victims' machines. Group-IB found the original email sent by the threat actors to victims, in which the threat actor disguised himself as a job applicant applying for the PR and Communications internship position in a potential victim's organisation. In the email, the threat actor mentions that the vacancy was found on a jobseeker site, which could suggest that the threat actors scanned through job recruitment advertisements on the Internet and used this information to create spear phishing emails.
The particular email contains a shortened URL linking to a free-to-use file-sharing site. The victim is presented with the option to download an optical disk image or the ISO image containing files belonging to the TA that are used to infect the victim’s network. During the investigation into Dark Pink, it was discovered that the threat actors leveraged several different ISO images. Notably, some of the documents contained in these ISO images varied from case to case. According to the information available, it is strongly believed that the Dark Pink TA crafted a unique email to each victim. The threat actors can send the malicious ISO image as a direct attachment to the victim via email.
Figure 2 - Screenshot of original spear-phishing email sent by Dark Pink APT noting the storage of the ISO image on a file-sharing site.
The ISO images sent in the spear-phishing emails contained varying numbers of files. Three types of files are found in all of the ISO images sent by the threat actors: a signed executable file, a nonmalicious decoy document (e.g. .doc, .pdf, or .jpg), and a malicious DLL file. Since the spear phishing email is about a job application, it is assumed that the victim will first look for the supposed applicant’s resume, which is often sent as an MS Word document. However, In Dark Pink attacks, the threat actors include a .exe file in the ISO image that mimics an MS Word file. The file contains “.doc” in the file name and the MS Word icon to confuse the victim and make them think the file is safe to open.
Figure 3 - Screenshot detailing the five files contained in one ISO image seen by Group-IB. Note that the .doc and .dll files are in hidden view.
Should the victim execute the .exe file first, the malicious DLL file, located in the same folder as the .exe file, will run automatically. This is a technique used by threat actors known as DLL Side-Loading. The primary function of the DLL execution is to ensure that the threat actors’ core malware, TelePowerBot, gains persistence. Before the completion of the file execution, the decoy document (e.g. a letter, resume) is shown on the victim’s screen.
3.2 – Trojan execution and persistence
One of the discoveries is the process of how TelePowerBot or KamiKakaBot are launched on the victim’s machine. The malicious DLL file containing one of the above two malware can be located inside the ISO image sent during spear-phishing campaigns. In one instance, the threat actors used a chain of MS Office documents and leveraged Template Injection, whereby the threat actors inserted into the initial document a link to a template document that contains a malicious macro code. In two other cases examined by Group-IB researchers, the threat actors behind Dark Pink launched their malware by the DLL Side-Loading technique. In total, three different kill chains are leveraged by the threat actors, as detailed below.
3.2.1 - Kill Chain 1: All-inclusive ISO
The first variant of the infection chain results in an ISO image being sent to the victim through spear-phishing emails. This ISO image includes a malicious DLL file, which contains TelePowerDropper (the name given by Group-IB). The primary goal of this DLL file is to gain persistence for TelePowerBot in the registry of the infected machine. Sometimes, the DLL file can also launch the threat actors’ proprietary stealers (Ctealer or Cucky), which parses data from browsers on the victim’s machine and store it in a local folder. It is important to note that launching any kind of stealer is optional during initial access. Dark Pink can send special commands to download and launch a stealer during all phases of the Sometimes, the DLL file can also launch the threat actors’ proprietary stealers (Ctealer or Cucky), which parses data from browsers on the victim’s machine and stores attack.
Figure 4 - Graphic detailing the full scheme of Kill Chain 1