A new dark pink APT group is targeting the govt. and military with customized malware

An advanced threat actor has been responsible for attacks on military and government bodies across multiple APAC countries. This malware is used to steal sensitive information.

This group is also known as Dark Pink (Group IB) and Saaiwc Group, Anheng Hunting Labs. Security experts refer to it this way because they note that the members use unusual tactics, procedures, and techniques (TTPs).

This custom toolkit can be used by hackers to spread malware and steal data via USB drives. To execute its payloads, the actor employed DLL sideloading and event-triggered execution techniques.

According to cybersecurity firm , the goal of the threat actor is to steal data from victim’s browsers and gain access to messages, infiltrate documents and take audio from infected devices microphones.

Dark Pink is a persistent and advanced threat (APT) that has been responsible for at least seven attacks in the period June through December 2022.

Overview of Dark Pink activities


Initial compromise

Dark Pink uses spear-phishing emails to trick victims into downloading malicious ISO images. Group-IB also saw many variations of the attack chain.

The one that was used used an ISO file that contained a sign executable and a decoy file. This allowed him to deploy Ctealer (or Cucky) as a custom information stealer via DLL sideloading. The next step would see the removal of a TelePowerBot registry implant.

A second attack uses an ISO file as a target. It contains a Microsoft Office (.DOC), document from Microsoft Office. The victim is prompted to open the file. A template with a malicious macro from GitHub is downloaded. It will be used by the victim to load TelePowerBot or make Windows registry modifications.

The third attack chain was observed in December 2022 and it was almost identical to the original. Instead of downloading TelePowerBot however, the malign ISO file along with the DLL sideloading technique loaded another malware called KamiKakaBot. This custom malware is designed to execute and read commands.

Third and most recent attack chain


Custom malware

Cucky is a custom info-stealer written in.NET or C++. They attempt to extract browsing history, passwords and saved logins from many web browsers including Chrome, Microsoft Edge and Chromium.

Cucky stealer code


TelePowerBot, a registry-implant that starts at system startup and then connects to Telegram channels from which it can receive PowerShell commands.

The threat actors use several commands to infect the victim. To determine which network resources are available to infected devices, threat actors execute standard commands (e.g. net share and Get-SmbShare). They will start exploring the disk for files of interest and possibly exfiltrate these files if network disk usage is detected.” – Group IB

The commands may be used to launch simple console tools, or more complex PowerShell scripts which enable lateral movements via USB removable drives.

KamiKakaBot (.NET) is TelePowerBot’s version. It also has information stealing capabilities and can target data in Chrome-based or Firefox browsers.

KamiKakaBot malware code


Dark Pink uses these tools in addition to a script that records sound every minute through the microphone. Before it can be exfiltrated by Telegram, the data are saved in a ZIP file to the Windows temporary directory.

The threat actor also uses ZMsg (a messenger exfiltration tool) which he downloaded from GitHub. This utility takes communications from Viber and Telegram and saves them on “%TEMP%KoVosRLvmU” until their exfiltration.

Anheng Hunting Labs in China, which tracks Dark Pink and Saaiwc Groups, . It notes that one actor exploited an old, severe vulnerability , CVE-2018-0199 .

Group-IB has confirmed that Dark Pink was responsible for seven of the attacks. However, researchers point out that this number could have been higher.

Dark Pink has been notified by the company of its compromise activities and it will keep an eye on their operations.