Group-IB uncovered Dark Pink APT, involved in attacks on government agencies and military facilities in the Asia-Pacific region using special malware to steal information.

Previously, ART has already come to the attention of Chinese researchers from Anheng Hunting Labs, who track the grouping as Saaiwc Group. The report describes some chains of attacks, one of which is implemented using a Microsoft Office template with malicious macros to exploit the old and dangerous CVE-2017-0199.

Group-IB noted that Dark Pink is characterized by unique TTP, and the user-defined set of tools found in the attacks can be used to steal information and distribute malware via USB drives.

The attacker uses unpublished DLL downloads and event-triggered methods to extract payloads on the victims' systems.

The attacker's goal is to steal information from browsers, gain access to messengers, exfiltration of documents and interception of acoustic information from the microphone of an infected device.

According to resellers, during the period from June to December 2022, Dark Pink managed to implement at least seven successful attacks.

A typical initial vector of Dark Pink attacks is phishing emails on the subject of hiring, which fraudulently forced the victim to download a malicious ISO image file.

But other variants of the chain of attacks have also been identified. In particular, the actor also used an ISO file with a decoy document, a signed executable file and a malicious DLL, which led to the deployment of one of the two user stillers by side loading the DLL.

Cucky and Ctealer are special information theft software written in .NET and C++, respectively, aimed at extracting passwords, browsing history, saved login and cookies from all known web browsers.

At the next stage, a registry implant called TelePowerBot was reset, which runs through a script when the system boots and connects to the Telegram channel, from where it receives PowerShell commands to execute.

As a rule, commands allow you to run simple console tools or complex PowerShell scripts that provide lateral movement through removable USB drives.

Another option included a Microsoft Office document (.DOC) inside an ISO file, when opened from GitHub, a template with a malicious macro was extracted, which implemented downloading TelePowerBot and making changes to the Windows registry.

The third chain of attacks, practiced in December 2022, was identical to the first. However, instead of TelePowerBot, another special malware was loaded, which the researchers call KamiKakaBot, designed to execute commands.

KamiKakaBot is .NET is a version of TelePowerBot that also has information theft capabilities targeting data stored in Chrome and Firefox-based browsers.

In addition to these tools, Dark Pink also used a script to record audio through a microphone in a minute interval. The data is saved as a ZIP archive in a temporary Windows folder, after which it is transmitted via a Telegram bot.

In addition, the attacker used a special ZMsg utility to exfiltrate information from messengers, which steals correspondence from Viber, Telegram and Zalo.

The results of the analysis of the activity of Dark Pink allowed Group-IB to state the success of seven attacks with a high probability, but the researchers believe that there could have been significantly more of them.