A threat actor known as Dark Pink has been associated with deploying the KamiKakaBot malware against multiple government agencies in ASEAN (Association of Southeast Asian Nations) countries.
Threat researchers at EclecticIQ explained their findings in a blog post published last week, explaining that the observed attack occurred in February.
“This new campaign very likely exploits Europe’s ties with ASEAN countries in the form of social engineering lures against the military and government agencies of Southeast Asian nations,” the report explains.
“While researchers lack the conclusive evidence necessary to identify the nationality of this group, the attackers’ objectives and some patterns suggest that the Dark Pink group may be a Chinese APT group. suggesting.”
The team added that the malicious campaigns are almost identical to those previously spotted by Group-IB.
“In January 2023, threat actors used ISO images to deliver KamiKakaBot, which was executed using a DLL sideloading technique,” reads an EclecticIQ article. “The main difference in the February campaign was that the malware obfuscation routines were improved, making it easier to evade antimalware.”
Learn more about this campaign here: New APT Dark Pink Attacks Asia Pacific and Europe with Spear Phishing Tactics
KamiKakaBot malware, distributed via phishing emails in recent Dark Pink attacks, aims to steal credentials, browsing history, and cookies from browsers like Chrome, Edge, and Firefox. The malware also has remote code execution (RCE) capabilities.
“KamiKakaBot developers employ various evasion techniques to remain undetected while performing malicious actions on infected devices,” writes EclecticIQ. “For example, they use Life Off-the-Land Binaries (LOLBIN). […] Runs the KamiKakaBot malware on the victim’s device. ”
It also used legitimate web services as command and control (C2) servers, especially Telegram, to further hide its malicious intent.
To protect your system from Dark Pink and similar threats, EclecticIQ uses a secure DLL search mode, disables ISO image mounting via Group Policy, and disables saving browser passwords via Group Policy. and encourages enterprises to deploy the highest level of protection for their firewalls and endpoints.
The company’s advisory comes weeks after data from Proofpoint suggested that phone attacks and multi-factor authentication (MFA) bypass techniques will increase phishing attacks in 2022.
