- Table of contents
Dark Pink APT Attacks
A recent wave of advanced persistent threat (APT) attacks is spreading throughout the Asia-Pacific (APAC) region, and these have been attributed to a newly identified group known as Dark Pink (also referred to as the Saaiwc Group). While evidence suggests that Dark Pink commenced its operations as early as mid-2021, the group’s activities escalated notably in the latter part of 2022.
The primary objectives of the Dark Pink APT include:
- Corporate espionage
- Document theft
- The capture of audio through the microphones of compromised devices
- The exfiltration of data from messaging platforms
The majority of these attacks were directed at APAC countries, although the threat actors expanded their scope to target a European governmental ministry. Confirmed victims of these attacks include two military organizations in the Philippines and Malaysia, government agencies in Cambodia, Indonesia, and Bosnia and Herzegovina, as well as a religious organization in Vietnam.
Dark Pink Victimology
- Dark Pink has targeted victims in nine different countries, spanning across the APAC region (Vietnam, Malaysia, Indonesia, Cambodia, Philippines, Brunei, and Thailand) and the European nation (Bosnia and Herzegovina, Belgium).
- Their victims encompass a wide spectrum, ranging from military entities and government agencies to development organizations, religious institutions, and non-profit groups.
- In October 2022, an unsuccessful attack was initiated against a European state development agency operating in Vietnam.
Dark Pink TTPs
Dark Pink Toolset
Dark Pink employs a variety of tools and custom-built malicious software designed for data theft and espionage. Their specialized toolkit comprises:
- Cucky: A straightforward custom information stealer coded in .NET. It is proficient in extracting passwords, browsing history, login credentials, and cookies from a range of web browsers targeted by the group. Cucky stores the pilfered data locally in the %TEMP%\backuplog directory, without transmitting it over the network.
- Ctealer: Similar in function to Cucky but coded in C/C++.
- TelePowerBot: A registry implant that activates during system boot through a script and establishes a connection with a Telegram channel. It awaits PowerShell commands from this channel, which it then executes.
- KamiKakaBot: This is a .NET version of TelePowerBot with additional data-stealing capabilities to enhance its espionage functions.
Dark Pink Techniques & Procedures
The complexity of the Dark Pink campaign becomes evident when considering its diverse kill chains. The actors orchestrating these attacks displayed remarkable adaptability, creating tools in various programming languages. This versatility enabled them to pursue the compromise of defense infrastructure and establish a lasting presence on the networks of their targets.
A large part of the success of Dark Pink was down to the spear-phishing emails used to gain initial access. The emails contain a shortened URL linking to a free-to-use file sharing site, where the victim is presented with the option to download an ISO image that contains all the files needed for the threat actors to infect the victim’s network.
Trojan execution and persistence:
Dark Pink utilizes a suite of customized malware tools, particularly TelePowerBot and KamiKakaBot, with the primary purpose of extracting confidential information from compromised systems. KamiKakaBot can execute commands via a Telegram bot managed by the threat actor. The bot’s functionality is divided into two parts: one for device control and another for harvesting valuable data. These malicious DLL files, housing one of these two malware components, can be concealed within ISO images distributed during spear-phishing campaigns, which ultimately results in the control of the targeted machine by Dark Pink.
The group has links to a GitHub account where they store PowerShell scripts, ZIP archives, and custom malware designed for future deployment on targeted devices.
Dark Pink employed a variety of techniques and services for data exfiltration. On their previous attacks, stolen information was sent via email or through public cloud services like Dropbox. However, in a recent attack, Dark Pink utilized the HTTP protocol and a Webhook service to exfiltrate the stolen data.
Dark Pink Origins and Affiliates
According to different researchers, the time zone of the attacks correlated with Vietnam. Considering these details, the most we can discern about the actor’s origin is that they likely come from the Southeast Asia region.
In addition, there is an assumption according to other researchers that Dark Pink is related to the OCEAN BUFFALO group. OCEAN BUFFALO (aka APT32, OceanLotus, SeaLotus) is a Vietnam-based targeted intrusion adversary reportedly active since at least 2012.
Dark Pink IOCs
| [Update] Counterdraft on the MoU on Rice Trade.zip.iso |6b7c4ce5419e7cde80856a85559203dca5219d05115cdd6c1598f2e789149c34 |
| wwlib.dll |8dc3f6179120f03fd6cb2299dbc94425451d84d6852b801a313a39e9df5d9b1a |
| ~[INDONESIA] COUNTERDRAFT MOU ON RICE TRADE INDONESIA-INDIA 15052023.DOC |78ec064bce850d0e0a022cdbb84a6200e62f92e8e575ebbd4a9b764dc1dce771 |
| MS Project file |54675c16c1fd97227cb41892431e1f9f8b0b153225b5576445d3ba24860dcfd9 |
| ccc.gif | 115a66aba1068be11e549c4194dda5f338684ae37ffbfc9045c0bae488a5acf4|
| AccHelper.xll |6d620e86fd37c9b92a0485b0472cb1b8e2b1662fbb298c4057f8d12ad42808b4 |
| ANALYS32.xll |d23784c30a56f402bb71d116ef8b5bcc8609061be0ecc6d1014686ff4227197f |
|Phishing: Spearphishing Attachment||T1566.001|
|Command and Scripting Interpreter||T1059|
|Command and Scripting Interpreter: PowerShell||T1059.001|
|Windows Management Instrumentation||T1047|
|System Services: Service Execution||T1569.002|
|Event Triggered Execution||T1546|
|Event Triggered Execution: Change Default File Association||T1546.001|
|Boot or Logon Autostart Execution||T1547|
|Abuse Elevation Control Mechanism||T1548|
|Abuse Elevation Control Mechanism: Bypass User Account Control||T1548.002|
|Masquerading: Match Legitimate Name or Location||T1036.005|
|Obfuscated Files or Information||T1027|
|Obfuscated Files or Information: Software Packing||T1027.002|
|Deobfuscate/Decode Files or Information||T1140|
|Trusted Developer Utilities Proxy Execution||T1127|
|Hijack Execution Flow||T1574|
|Hijack Execution Flow: DLL Side-Loading||T1574.002|
|Credentials from Password Stores||T1555|
|File and Directory Discovery||T1083|
|System Information Discovery||T1082|
|Command and Control|