Dark Pink Hackers Continue to Target Govt and Military Organizations

Cyber Security Threat Summary:
In 2023, the Dark Pink APT hacking group remains highly active, focusing its attacks on government, military, and education organizations in Indonesia, Brunei, and Vietnam. This threat group has been operational since around mid-2021, primarily concentrating its efforts on targets in the Asia-Pacific region. However, it was only in January 2023 that the group gained public attention following a report by Group-IB. According to the researchers, a thorough analysis of the group's past activities has revealed further instances of breaches. These include successful attacks on an educational institute in Belgium and a military organization in Thailand. During the recent series of attacks, Dark Pink demonstrated a revamped attack strategy by utilizing various persistence methods and introducing new tools for exfiltrating data. It is believed that their motive was to avoid detection by distancing their operations from publicly accessible indicators of compromise (IoCs). “Dark Pink attacks continue to rely on ISO archives sent via spear-phishing for initial infection, which employs DLL side-loading to launch its signature backdoors, 'TelePowerBot' and 'KamiKakaBot.’ A new element is that the attackers have now split KamiKakaBot's functionalities into two parts, namely device control and data theft. Also, the implant is now loaded from memory, never touching the disk. This helps evade detection as antivirus tools do not monitor processes that initiate in memory. KamiKakaBot continues to target data stored in web browsers and sends it to the attackers via Telegram. Moreover, the backdoor can download and execute arbitrary scripts on the breached device. Group-IB discovered that Dark Pink uses a private GitHub repository to host additional modules downloaded by its malware to compromised systems. The threat actors performed only 12 commits on that repository throughout 2023, mainly to add or update malware droppers, PowerShell scripts, the ZMsg info-stealer, and the Netlua privilege escalation tool” (Bleeping Computer, 2023). One of the PowerShell scripts is critical to DarkPink’s lateral movement strategy, helping identify and interact with SMB shares within the network. The script fetches a ZIP archive from GitHub, saves it to a local directory, and then creates LNK files on each SMB share linked to the malicious executable in the archive. When these LNK files are opened, they launch the malicious executable, furthering Dark Pink’s propagation across the network and extending their reach to additional systems. DarkPink also used PowerShell commands to perform checks for the presence of legitimate software and development tools on the compromised device that they can abuse for their operations. However, Group-IB noted that they have not seen examples of abuse of these tools in the observed attacks. Security Officer Comments:
According to Group-IB's findings, Dark Pink has expanded its repertoire of data exfiltration techniques beyond the conventional method of sending ZIP archives to Telegram channels. In certain instances investigated by the analysts, the attackers leveraged DropBox uploads for data exfiltration, while in other cases, they employed HTTP exfiltration via temporary endpoints created using services like "Webhook[.]site" or Windows servers. Moreover, the scripts also possess the capability to exfiltrate data by creating new WebClient objects. These objects facilitate file uploads to external addresses using the PUT method, with the target file locations being defined on the compromised computer. Group-IB's assessment suggests that Dark Pink hackers remain undeterred by their previous exposure and are unlikely to cease their activities. It is highly probable that they will continue enhancing their tools and diversifying their methods to the greatest extent possible. Suggested Correction(s):
Group-IB has recommended the following mitigations regarding the Dark Pink APT group:

  • Use modern email protection measures to prevent initial compromise through spear-phishing emails.
  • Foster a strong cybersecurity culture in your workplace, including training staff to identify phishing emails.
  • Ensure that your security measures allow for proactive threat hunting in order to identify threats that cannot be detected automatically.
  • Limit access to file-sharing resources, except those used within the organization.
  • Monitor LNK files being created in unusual locations, such as network drives and USB devices.
  • Observe any use of commands and built-in tools that are frequently used for collecting information about the system and files.
  • Develop command line usage benchmarks for commonly used LOLBin techniques to uncover possible malicious activities.
  • Implement a monitoring system to detect any images mounted in the system, thereby proactively protecting against infections and identifying potential malicious activities.
  • Keeping your organization secure requires ongoing vigilance. Using a proprietary solution such as Group-IB Threat Intelligence can help shore up your security posture by equipping your security teams with the latest insights into new and emerging threats.
Link(s):
https://www.bleepingcomputer.com/