Go to listing page

Dark Pink Deploys KamiKakaBot to Target Government Entities in South Asian Countries

Dark Pink Deploys KamiKakaBot to Target Government Entities in South Asian Countries
APT group Dark Pink, aka Saaiwc, has been targeting government agencies and military bodies in the APAC region since the second half of 2022. In the latest attack wave, the group is deploying a malware called KamiKakaBot that boasts an improved obfuscation routine to efficiently evade anti-malware checks.

Dark Pink’s attack tactics

EclecticIQ researchers found Dark Pink APT using phishing emails or social engineering lures against military and government organizations in Southeast Asian nations to deliver KamiKakaBot.
  • These emails are embedded with an ISO image which contains an executable (Winword.exe), a loader, and a decoy Word document with an XOR-encrypted section.
  • When a user clicks on the executable, the loader automatically loads and executes itself into the memory of the Winword.exe binary.
  • The Word document comes embedded with the KamiKakaBot executable as payload, which is exploited via DLL side-loading.
  • The loader decrypts the decoy document, writes the payload into the disk, and executes it via a living-off-the-land binary.
  • The loader also abuses features of the Winlogon Helper library to make malicious Windows Registry key modifications and establishes persistence on the compromised host.

Furthermore, threat actors can update the malware itself after the successful infection. 

Malware capabilities

KamiKakaBot is primarily engineered to steal saved credentials, browsing history, and cookies stored in web browsers such as Chrome, Edge, and Firefox.
  • It exfiltrates the gathered data as a ZIP archive to the attackers' Telegram bot channel. Moreover, it uses VPN services to hinder detection.
  • After gaining initial access to infected devices, threat actors execute remote code using the command prompt (cmd.exe) and use legitimate web services such as Telegram as a C2 server. 
  • It enables them to carry out further post-exploitation activities.

Wrapping up

Dark Pink is leveraging some rarely-seen tactics and techniques to execute the KamiKakaBot malware in the campaign. It uses the DLL side-loading technique, VPNs, and other tricks to blend in with victim environments and keep the campaign stealthy. Organizations are suggested to deploy state-of-the-art safety measures to defend against upcoming threats.
Cyware Publisher

Publisher

Cyware