Dark Pink: Emerging Threat Actor Overview

What is Dark Pink?

An emerging campaign of advanced persistent threat (APT) attacks is spreading across the Asia-Pacific (APAC) region, and it has been attributed to a new group called Dark Pink (also known as Saaiwc Group by some Chinese researchers). While evidence suggests that the group has likely been active since mid-2021, their first known successful attack wasn’t observed until June 2022. This ongoing campaign is sophisticated and employs numerous distinct kill chains and multiple custom-crafted tools in several programming languages. This provides flexibility in gaining access to a victim’s network and maintaining persistence. The attackers use advanced techniques like DLL side-loading and Event Triggered Execution: Change Default File Association to launch their custom malware and evade detection. They also infect removable drives and use Telegram API for communication and exfiltration of data.

Attack Details: Tailored Spear-Phishing Emails

Like other successful campaigns, Dark Pink’s attacks originate with a tailored spear-phishing email. The emails are designed to look like job applications to lure victims into downloading malicious identical storage of optical media (ISO) images. These images are personalized and contain a signed executable, a decoy document, and a malicious Dynamic Link Library (DLL) file. Dark Pink operators use DLL side-loading, a technique that enables them to mask their actions under a legitimate and trusted process, to launch their custom malware. In one instance, they also used a rarely seen technique called Event Triggered Execution: Change Default File Association to launch the TelePowerBot malware and maintain persistence. In addition to infecting the victim’s device, the threat actors also infect any removable drives that are present. They obtain the payload from GitHub, decrypt it, and move it to the directory of the removable disk. Then, batch (BAT) and shortcut (LNK) files are created to make the malicious payload boot with the target machine self-start. All communication between the devices of the threat actors and the victims is based on Telegram API, and any data harvested is exfiltrated in ZIP archives via Telegram, Dropbox, or email.

Custom ToolKit

Dark Pink uses PowerShell scripts and custom information stealers and trojans, with the aim of stealing confidential documentation held on the networks of its victims. The group’s custom toolkit includes:

Cucky: A simple custom stealer developed in .NET. It can steal passwords, history, logins, and cookies from numerous targeted web browsers. Cucky doesn’t communicate with the network, instead it saves information in the folder %TEMP%\backuplog.
Ctealer: Equivalent to Cucky, except developed in C/C++.
TelePowerBot: A registry implant that launches via a script at system boot and connects to a Telegram channel from where it receives PowerShell commands to execute.
KamiKakaBot: .NET version of TelePowerBot with some additional information stealing capabilities.

Victimology:

Dark Pink is an emerging APT group that has been attributed to a string of attacks across the APAC region. The group’s first successful attack was observed in June 2022, when it infiltrated a religious organization in Vietnam. However, researchers have noted that Dark Pink threat actors have been using the same GitHub account for uploading malicious files since at least mid-2021 and have successfully carried out six more attacks since then. The group’s targets have included military and government agencies, religious groups, and non-profit organizations. These attacks have been observed in several countries, including Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, the Philippines, and Vietnam. According to security researchers, Dark Pink’s primary goals are to conduct corporate espionage, steal documents, capture audio using the microphone of infected devices, and exfiltrate data from messengers.

The group’s attacks are highly sophisticated and use advanced techniques like DLL side-loading and Event Triggered Execution: Change Default File Association to evade detection. This makes them a significant threat to both private and public institutions in the APAC region. Organizations in the region should be vigilant and take appropriate security measures to defend against Dark Pink’s attacks.

Conclusion: Employee Training Against Dark Pink is Key

Dark Pink’s campaign highlights the continued dangers of spear-phishing campaigns against organizations. With the primary goal of espionage, an advanced persistent threat group, like Dark Pink, could remain undetected on a system for months, or even years, stealing corporate information. Continued employee training and strengthening email security solutions to detect and stop threat actors before they can penetrate network perimeters are imperative to maintaining a healthy network.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: