Dark Pink APT Attacks

A recent wave of advanced persistent threat (APT) attacks is spreading throughout the Asia-Pacific (APAC) region, and these have been attributed to a newly identified group known as Dark Pink (also referred to as the Saaiwc Group). While evidence suggests that Dark Pink commenced its operations as early as mid-2021, the group’s activities escalated notably in the latter part of 2022.

The primary objectives of the Dark Pink APT include:

• Corporate espionage
• Document theft
• The capture of audio through the microphones of compromised devices
• The exfiltration of data from messaging platforms

The majority of these attacks were directed at APAC countries, although the threat actors expanded their scope to target a European governmental ministry. Confirmed victims of these attacks include two military organizations in the Philippines and Malaysia, government agencies in Cambodia, Indonesia, and Bosnia and Herzegovina, as well as a religious organization in Vietnam.

Dark Pink Victimology

• Dark Pink has targeted victims in nine different countries, spanning across the APAC region (Vietnam, Malaysia, Indonesia, Cambodia, Philippines, Brunei, and Thailand) and the European nation (Bosnia and Herzegovina, Belgium).
• Their victims encompass a wide spectrum, ranging from military entities and government agencies to development organizations, religious institutions, and non-profit groups.
• In October 2022, an unsuccessful attack was initiated against a European state development agency operating in Vietnam.

Dark Pink TTPs

Dark Pink Toolset

Dark Pink employs a variety of tools and custom-built malicious software designed for data theft and espionage. Their specialized toolkit comprises:

• Cucky: A straightforward custom information stealer coded in .NET. It is proficient in extracting passwords, browsing history, login credentials, and cookies from a range of web browsers targeted by the group. Cucky stores the pilfered data locally in the %TEMP%\backuplog directory, without transmitting it over the network.
• Ctealer: Similar in function to Cucky but coded in C/C++.
• TelePowerBot: A registry implant that activates during system boot through a script and establishes a connection with a Telegram channel. It awaits PowerShell commands from this channel, which it then executes.
• KamiKakaBot: This is a .NET version of TelePowerBot with additional data-stealing capabilities to enhance its espionage functions.

Dark Pink Techniques & Procedures

The complexity of the Dark Pink campaign becomes evident when considering its diverse kill chains. The actors orchestrating these attacks displayed remarkable adaptability, creating tools in various programming languages. This versatility enabled them to pursue the compromise of defense infrastructure and establish a lasting presence on the networks of their targets.

Initial access:

A large part of the success of Dark Pink was down to the spear-phishing emails used to gain initial access.  The emails contain a shortened URL linking to a free-to-use file sharing site, where the victim is presented with the option to download an ISO image that contains all the files needed for the threat actors to infect the victim’s network.

Trojan execution and persistence:

Dark Pink utilizes a suite of customized malware tools, particularly TelePowerBot and KamiKakaBot, with the primary purpose of extracting confidential information from compromised systems. KamiKakaBot can execute commands via a Telegram bot managed by the threat actor. The bot’s functionality is divided into two parts: one for device control and another for harvesting valuable data. These malicious DLL files, housing one of these two malware components, can be concealed within ISO images distributed during spear-phishing campaigns, which ultimately results in the control of the targeted machine by Dark Pink.

GitHub Usage:

The group has links to a GitHub account where they store PowerShell scripts, ZIP archives, and custom malware designed for future deployment on targeted devices.

Data extraction:

Dark Pink employed a variety of techniques and services for data exfiltration. On their previous attacks, stolen information was sent via email or through public cloud services like Dropbox. However, in a recent attack, Dark Pink utilized the HTTP protocol and a Webhook service to exfiltrate the stolen data.

Dark Pink Origins and Affiliates

According to different researchers, the time zone of the attacks correlated with Vietnam. Considering these details, the most we can discern about the actor’s origin is that they likely come from the Southeast Asia region.

In addition, there is an assumption according to other researchers that Dark Pink is related to the OCEAN BUFFALO group. OCEAN BUFFALO (aka APT32, OceanLotus, SeaLotus) is a Vietnam-based targeted intrusion adversary reportedly active since at least 2012.

Dark Pink IOCs

Files:

 | [Update] Counterdraft on the MoU on Rice Trade.zip.iso |6b7c4ce5419e7cde80856a85559203dca5219d05115cdd6c1598f2e789149c34 |

| wwlib.dll |8dc3f6179120f03fd6cb2299dbc94425451d84d6852b801a313a39e9df5d9b1a |

| ~[INDONESIA] COUNTERDRAFT MOU ON RICE TRADE INDONESIA-INDIA 15052023.DOC |78ec064bce850d0e0a022cdbb84a6200e62f92e8e575ebbd4a9b764dc1dce771 |

| MS Project file |54675c16c1fd97227cb41892431e1f9f8b0b153225b5576445d3ba24860dcfd9 |

| ccc.gif | 115a66aba1068be11e549c4194dda5f338684ae37ffbfc9045c0bae488a5acf4|

| AccHelper.xll |6d620e86fd37c9b92a0485b0472cb1b8e2b1662fbb298c4057f8d12ad42808b4 |

| ANALYS32.xll |d23784c30a56f402bb71d116ef8b5bcc8609061be0ecc6d1014686ff4227197f |

Cucky:

MD5: 926027F0308481610C85F4E3E433573B

SHA1: 24F65E0EE158FC63D98352F9828D014AB239AE16

SHA256: 9976625B5A3035DC68E878AD5AC3682CCB74EF2007C501C8023291548E11301

ACtealer Loader:

MD5: 728AFA40B20DF6D2540648EF845EB754

SHA1: D8DF672ECD9018F3F2D23E5C966535C30A54B71D

SHA256: C60F778641942B7B0C00F3214211B137B683E8296ABB1905D2557BFB245BF775

Packed ctealer:

MD5: 7EAF1B65004421AC07C6BB1A997487B2

SHA1: 18CA159183C98F52DF45D3E9DB0087E17596A866

SHA256: E3181EE97D3FFD31C22C2C303C6E75D0196912083D0C21536E5833EE7D108736

MD5: 732091AD428419247BCE87603EA79F00

SHA1: 142F909C26BD57969EF93D7942587CDF15910E34

SHA256: E45DF7418CA47A9A4C4803697F4B28C618469C6E5A5678213AB81DF9FCC9FD51

URLs:

– hXXps://webhook[.]site/288a834b-fd92-4531-82a5-b41e907daa56

– hXXps://webhook[.]site/2b733e31-70bb-4777-be4a-41a98f3559bf

– hXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/xxx.gif

– hXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/ccc.gif

– hXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/DDDD.gif

– hXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/eeeee.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/eeeee.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/xxx.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/eee.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/ccc.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/bbb.gif

– hXXps://textbin[.]net/raw/1tmfbi0bep

– hXXps://textbin[.]net/raw/d7hs6e68ox

– hXXp://176.10.80[.]38:8843/upload

– hXXp://176.10.80[.]38:8843/11.msi

– hXXp://176.10.80[.]38:8843/1.zip

CVEs

MITRE IDs