The cyberattack campaign by well-known APT group Dark Pink has a wider scope than originally thought, with researchers identifying five new victims, including one from Belgium.
The group has ties to the Chinese nation and was previously thought to focus its activities mainly in Southeast Asian countries. However, new victims identified by Group-IB today include one from Belgium, as well as the original targets of Thailand and Brunei.
“This group deploys multiple kill chains that rely on spear-phishing emails, using a variety of sophisticated custom tools. It stays undetected and maintains control of the compromised system,” said Group-IB Malware Analyst Andrey Polovinkin.
“As we continue to track the activities of this group, we have identified new tools, exfiltration mechanisms and victims in countries and new industries that Dark Pink has not previously targeted.”
With at least two attacks in 2023, it’s clear the group isn’t going to slow down. Among its Tactics, Techniques, and Procedures (TTP) updates is a new version of the KamiKakaBot malware, splitting its functionality into his two parts. One is dedicated to controlling devices and the other is dedicated to exfiltrating data.
Group-IB also discovered a new GitHub account hosting a module that can be installed on a victim’s machine if instructed by malicious code. According to reports, the payload was also distributed through the TextBin.net service.
Polovinkin revealed that Dark Pink used a service called Webhooks to exfiltrate the stolen data over HTTP.
“Webhook.site is a powerful and versatile service that allows users to easily inspect, test and debug HTTP requests and webhooks,” he explained. “webhook.site allows you to set up temporary endpoints to capture and display incoming HTTP requests.”
Dark Pink is also continually looking for new ways to evade detection of infected machines, likely using different LOLBin techniques to do so, the report claims.
