A new advanced persistent threat (APT) group dubbed 'Dark Pink' by Group-IB (and 'Saaiwc Group' by Chinese cybersecurity researchers) has been spotted targeting various entities across Asia-Pacific and Europe, mainly with spear phishing techniques.
According to a new advisory published by Group-IB earlier today, Dark Pink began operations as early as mid-2021, although the group’s activity sharply increased in mid-to-late 2022.
“To date, [we have] uncovered seven confirmed attacks by Dark Pink,” reads the technical write-up. “The bulk of the attacks were carried out against countries in the APAC region, although the threat actors spread their wings and targeted one European governmental ministry."
More specifically, Group-IB identified two military entities in the Philippines and Malaysia, a religious organization in Vietnam, and government agencies in Cambodia, Indonesia and Bosnia and Herzegovina.
The security experts also spotted an unsuccessful attack on a Vietnam-based European state development agency.
“Group-IB’s early research into Dark Pink has revealed that these threat actors are leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups,” reads the advisory.
These include a custom toolkit featuring TelePowerBot, KamiKakaBot and Cucky and Ctealer information stealers. Further, Dark Pink can also infect USB devices attached to compromised computers.
“Dark Pink threat actors utilize two core techniques: DLL Side-Loading and executing malicious content triggered by a file type association [...] The latter of these tactics is one rarely seen utilized in the wild by threat actors,” Group-IB explained.
The security team also added that threat actors had created a set of PowerShell scripts for communications between victims and threat actors’ infrastructure and used Telegram API for all communication between them and infected infrastructure.
“The threat actors behind Dark Pink were able, with the assistance of their custom toolkit, to breach the defenses of governmental and military bodies in a range of countries in the APAC and European regions,” Group-IB wrote.
“Dark Pink’s campaign once again underlines the massive dangers that spear-phishing campaigns pose for organizations, as even highly advanced threat actors use this vector to gain access to networks, and we recommend that organizations continue to educate their personnel on how to detect these sorts of emails.”
More information about spear phishing and similar attacks can be found in a recent analysis by cybersecurity blogger Farwa Sajjad.