Dark Pink: A New APT Group Laced with Dangerous Espionage Techniques

Espionage Meets Color: Dark Pink APT Group Revealed

The Dark Pink APT group has been targeting countries in the APAC region.

So far, the cybersecurity researchers at Group-IB have uncovered seven confirmed attacks carried out by the Dark Pink hackers.

Group-IB’s recent blog warns of a relatively new advanced persistent threat (APT) group which brings more dangerous espionage techniques and procedures to the table than seen before.

Labelled ‘Dark Pink’ by Group-IB’s analysts; this APT group is behind a new wave of attacks that have struck the Asia-Pacific (APAC) region. 

This APT group has also been termed Saaiwc Group by Chinese cybersecurity researchers. Dark Pink’s operations can be dated as far back as mid-2021 according to Group-IB’s researchers who identified activity on its GitHub account. However, the group’s activity surged in the period from mid to late 2022. 

In their detailed report, Group-IB states that their sector-leading Threat Intelligence uncovered seven confirmed attacks by Dark Pink. The majority of these attacks were in the APAC region with just one carried out against a European governmental ministry. 

“The confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam. Group-IB also became aware of an unsuccessful attack on a European state development agency based in Vietnam,” the blog post states.

Espionage Meets Color: Dark Pink APT Group Revealed
Timeline and targets of Dark Pink APT group (Image: Group-IB)

What makes Dark Pink’s attacks so effective is their use of a new set of tactics, techniques, and procedures rarely ever seen before amongst APT groups. Their custom toolkit consists of TelePowerBot, KamiKakaBot, and Cucky and Ctealer information stealers (all names given by Group-IB). They are also able to infect USB devices attached to compromised computers and gain access to messengers on infected machines.

One of Dark Pink’s spear-phishing emails used to gain initial access was found by Group-IB. In this particular instance, the threat actor posed as a job applicant applying for the PR and Communications intern position.

In the email, the threat actor mentions that they found the vacancy on a jobseeker site, which could suggest that the threat actors scan job boards and use this information to create highly relevant phishing emails. This only goes to show how carefully these phishing emails are curated for them to become so threatening. 

In the aforementioned attack, the email contained a shortened URL linking to a free-to-use file-sharing site where the victim can choose to download an ISO image. This contains all the files needed for the threat actors to infect the victim’s network.

In this situation, the victim is likely to look for the supposed applicant’s resume, often sent as an MS Word document, but the threat actor included a .exe file that mimicked an MS Word file. By using the MS Word icon and writing “.doc” in the file name, the threat actors tried to confuse the victim into believing the file was safe to open.

Espionage Meets Color: Dark Pink APT Group Revealed
Kill Chain of the Dark Pink APT group (Image: Group-IB)

Group-IB details all their findings regarding Dark Pink’s kill chains, initial access, reconnaissance and lateral movement, data exfiltration, evasion techniques, and tools. They hope that this preliminary research will allow cybersecurity experts to raise awareness of the new TTPs utilized by Dark Pink and will aid organizations in taking relevant steps to protect themselves from potentially devastating APT attacks

Along with shedding light on the detrimental effects of APT groups leveraging new TTPs, it is our aim to highlight a set of precautions that can be taken by organizations in order to protect themselves from targeted and highly decisive attacks. 

Here are some steps that organizations can take to cultivate a securer workplace culture:

  • Employ modern email protection measures that are highly effective in thwarting hacking campaigns right at the first step by preventing initial compromise via spear-phishing emails. 
  • Train your personnel to identify phishing emails and educate them on the damage they can cause.
  • Ensure that your security measures allow for proactive threat hunting that can help identify threats that cannot be detected automatically.
  • Limit access to file-sharing resources, with the exception of those used within the organization.
  • Monitor the creation of LNK files in unusual locations, such as network drives and USB devices.
  • Ensure that you observe any use of commands and built-in tools that are frequently used for collecting information about the system and files.
  1. NK APT37 Unleashes Dolphin Backdoor on SK
  2. APT Groups Trapping Targets with Clever Twitter Scheme
  3. Malicious Office docs make up 43% of all malware downloads
  4. Windows, Linux and macOS Users Hit by Chinese Iron Tiger Group
  5. Indian APT exposes Modus Operandi by infecting their own devices

Related Posts