threat actor known as dark pink It has been linked to five new attacks between February 2022 and April 2023 targeting various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam.
This includes educational institutions, government agencies, military entities, and non-profit organizations, demonstrating adversaries’ continued focus on high-value goals.
Dark Pink, also known as the Saaiwc Group, is an Advanced Persistent Threats (APT) actor believed to have originated in the Asia-Pacific, with organizations primarily located in East Asia and, to a lesser extent, in Europe. is targeted for attack.
The group uses a series of custom malware tools such as TelePowerBot and KamiKakaBot, which offer various capabilities to extract sensitive data from compromised hosts.
In a technical report shared with The Hacker News, Group-IB security researcher Andrey Polovinkin said, “The group used a variety of advanced custom tools and multiple kill chains that relied on spear phishing emails. is being developed,” he said.
“Once attackers have access to a target’s network, they use advanced persistence mechanisms to remain undetected and maintain control over compromised systems.”
In this finding, we have made some significant changes to Dark Pink’s attack sequence, not only to hamper our analysis, but also to accommodate improvements in KamiKakaBot, which executes commands from Telegram channels controlled by threat actors via Telegram bots. is also shown to be added.
The latest version, among other things, splits its functionality into two distinct parts. One for controlling the device and another for gathering valuable information.
The Singapore-based company also identified a new GitHub account associated with the account containing PowerShell scripts, ZIP archives and custom malware committed between January 9, 2023 and April 11, 2023. Stated.
In addition to using Telegram for command and control, Dark Pink has been observed exfiltrating stolen data over HTTP using a service called Webhooks.[.]site. Another notable point is the use of a Microsoft Excel add-in to ensure his TelePowerBot’s persistence within infected hosts.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
“Using webhooks[.]“The attacker created a temporary endpoint and sent sensitive data stolen from the victim,” Polovinkin said.
Dark Pink remains shrouded in mystery despite its espionage motives. That said, it is suspected that Hacking Team’s victim activity footprint may be more extensive than previously assumed.
The fact that this adversary has been involved in only 13 attacks since mid-2021 (including five new victims) shows that it strives to keep a low profile for its stealth. This is also a sign that threat actors are choosing their targets carefully and minimizing the number of attacks to reduce the likelihood of exposure.
“The fact that two attacks were carried out in 2023 shows that Dark Pink is still active and poses an ongoing risk to organizations,” Porobinkin said. “Evidence shows that the cybercriminals behind these attacks continue to update their existing tools to avoid detection.”
