Dark Pink APT Group Targets APAC

Dark Pink campaign

• The group started its operations in mid-2021, and the attacks increased a year later using a custom toolkit, created to steal important information from compromised networks.
• The group used spear-phishing emails to launch its attacks and a Telegram API for C2 communications. 

How spearphishing works

• Dark Pink APT presumably visits job boards to tailor its messages and pose as a job applicant applying as an intern for a position in PR and communications.
• The aim, however, is to deploy KamiKakaBot and TelePowerBot, which can execute commands sent via a Telegram bot. 
• The group then uses Ctealer and Cucky tools to steal credentials and cookies from web browsers.

Use of multiple infection chains

• It used a single GitHub account for hosting malicious modules (active since May 2021). This was used to drop a PowerShell script malware known as TelePowerBot. Further, the group leveraged malicious template documents to avoid detection.
• An alternate kill chain used a decoy document included in the ISO file to get a rogue macro-enabled template from GitHub, which included TelePowerBot.
• Recently, the group launched KamiKakaBot, a DotNET version of TelePowerBot, having an XML file located at the end of a Word document in encrypted view.

Who are the targets?

• The targeted victims confirmed by researchers include two military bodies in the Philippines and Malaysia, government departments in Cambodia, Indonesia, and Bosnia and Herzegovina, and a religious entity in Vietnam.
• Additionally, one unsuccessful attack was observed against an unnamed European state development body from Vietnam.

Conclusion