Dark Pink APT Group 'Very Likely' Back in ActionThreat Actor That Recently Emerged Focuses on Asia-Pacific Region
Cybersecurity researchers say they are almost certain they have spotted traces of the advanced persistent threat group Dark Pink, which recently emerged, now apparently attacking victims with a newly improved obfuscation routine to evade anti-malware measures.
Netherlands cybersecurity firm EclecticIQ says that in February it identified a campaign using ISO images to deliver KamiKakaBot malware for stealing data stored in web browsers, such as saved credentials and cookies. The malware can also permit hackers to execute remote code.
Indicators from the February incidents were "almost identical" to the Dark Pink attack pattern Group-IB reported in January, EclecticIQ says. "Multiple overlaps" between the two campaigns led EclecticIQ researchers to conclude that the same threat actor is "very likely" behind the incidents.
Group-IB described Dark Pink as a threat group concentrating mainly on military and governmental agencies in the Asia-Pacific region. It said evidence exists to suggest the threat group began operations as early as mid-2021 but that its activities surged during the second half of 2022.
EclecticIQ says the group's objectives and patterns suggest a connection with Chinese state hackers. Its campaign phishing lures include documents that exploit diplomatic relations between Southeast Asian nations and European countries. At least one lure tried to take advantage of warming relations between Indonesia and Norway by sending putative invitations from Oslo diplomats.
Among the almost identical indicators that EclecticIQ says match up with Group-IB's indicators are execution of the KamiKakaBot through a DLL side-loading technique and use of the social media platform Telegram as command and control.
"The KamiKakaBot and loader is a generic malware type and it’s currently only used by Dark Pink," write EclecticIQ researchers.
The new KamiKakaBot differs from the older version through an open-source .NET obfuscation engine to hide itself from anti-malware detection, EclecticIQ states.
Obfuscation itself isn't new to KamiKakaBot since Group-IB researchers say that one version of the malware used highly obfuscated PowerShell commands sorted in base64 view in order to create a handler in the Windows operating system registry for the
.abcd file extension created by the malware. The file extension belongs to KamiKakaBot's core malware, a tool that establishes persistence and communicated with Telegram.
Another version of the KamiKakaBot uses a technique known as template injection to infect computers by embedding an ISO image in a Microsoft Word document. The antivirus evasion comes not from embedding malicious code within the Word document but instead infecting the machine by using macros containing several forms with fields, which Windows reads during execution and uses to establish a value in the registry.