Dark Pink Ramps Up Cyberespionage Attacks, Hits New Targets

A recently emerged threat actor dubbed Dark Pink is updating its custom tool set in a bid to evade detection while expanding its operations to new Southeast Asian targets.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

The threat actor, also tracked as Saaiwc Group by security researchers at Chinese company Tencent, now uses a malicious Microsoft Excel add-in to ensure persistence, said Group-IB.

The threat intel firm counts 13 total victims of Dark Pink, which first became active in mid-2021, mainly in the Asia-Pacific region. So far this year, its targets include government agencies in Brunei and Indonesia. Group-IB said it also has identified an attack against an educational institution in Belgium, launched in February 2022, and a Thai military agency, launched in October. Previously identified victims include government, military and religious organizations in Vietnam, the Philippines, Malaysia and Cambodia, as well as a government ministry in Bosnia and Herzegovina.

The Excel add-in doesn’t communicate with the command-and-control infrastructure every time an infected device is powered on, but rather every time the victim starts up Excel. Dark Pink malware downloads the Excel extension during the infection process, obtaining it from the group’s GitHub page. Dark Pink also deploys decryption in its binaries in a bid to avoid sandbox analysis or detection through static analysis.

Dutch cybersecurity company EclecticIQ in March said it had observed Dark Pink actors using improved obfuscation routines to evade anti-malware measures. The APT group displayed interest in diplomatic engagements between European and Asia-Pacific countries, which to EclecticIQ a connection with Chinese state hackers (see: Dark Pink APT Group ‘Very Likely’ Back in Action).

Dark Pink continues to use the same infection chain as in previous attacks – luring victims to download an ISO file that contains a decoy MS Word document, a signed executable file and a malicious DLL file. The DLL file acts as a malware dropper, using an MSBuild utility to launch the malware dubbed KamiKakaBot that executes commands sent by Dark Pink actors from a Telegram channel via a Telegram bot. Hackers can tell KamiKakaBot to steal web browser data, download and execute scripts and update the identifier used to reach the Telegram bot.

Dark Pink shifted to a new GitHub account to store PowerShell scripts, zip archives and custom malware shortly after security researchers made their research about the group’s activities public.

Group-IB’s analysis of the GitHub repository’s contents revealed the presence of a tool designed to steal information from messaging app Zalo and a tool that hackers use to elevates privileges and launch PowerShell commands. Dark Pink deactivated the repository when URLs for its files were uploaded to VirusTotal.