Dark Pink APT group leverages custom malware tools to conduct sophisticated attacks

Between February 2022 and April 2023, the threat actor known as Dark Pink is associated with five new attacks against different entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam.

This includes educational institutions, government agencies, military institutions and non-profit organizations, indicating a continued focus on high-value targets by hostile actors.

Dark Pink, also known as the Saaiwc Group, is an advanced persistent threat (APT) attacker believed to have originated in the Asia-Pacific region, with its attacks primarily targeting entities located in East Asia and, to a lesser extent, Europe.

The group uses a set of custom malware tools, such as TelePowerBot and KamiKakaBot, which provide various capabilities to steal sensitive data from infected hosts.

In a technical report shared with Hacker News, Group-IB security researcher Andrey Polovinkin noted that the group used a series of sophisticated custom tools to deploy multiple kill chains that relied on spear-phishing emails. Once attackers gain access to the targeted network, they use advanced persistence mechanisms to remain undetected and maintain control of the infected system.

The findings also illustrate some key modifications to the Dark Pink attack sequence to hinder analysis and accommodate improvements to KamiKakaBot, which executes commands from Telegram channels controlled by threat participants via Telegram bots.

Notably, the latest version divides its functionality into two distinct parts: one for controlling the device and the other for gathering valuable information.

The Singapore-based company says it has also discovered a new GitHub account associated with the threat actor that hosts PowerShell scripts, ZIP archives and custom malware for subsequent installation on victim machines. These modules were uploaded between January 9, 2023 and April 11, 2023.

In addition to using Telegram for command and control, Dark Pink was observed using a service called webhook[.] site to leak stolen data via HTTP. Another notable aspect is the use of a Microsoft Excel plug-in to ensure the persistence of TelePowerBot in infected hosts.

Polovinkin notes that using the webhook[.] site, temporary endpoints can be set up to capture and view incoming HTTP requests, and that threat actors create temporary endpoints and send sensitive data stolen from victims.

Despite the espionage motive, Dark Pink remains shrouded in mystery. That said, the suspected hacking team's victimological footprint may be broader than previously assumed.

While the latest findings bring the total number of attacks since mid-2021 to 13 (counting five new victims), they also suggest that adversaries are trying to keep a low profile in order to remain invisible. They are also a sign that threat actors are choosing their targets carefully and keeping the number of attacks to a minimum to reduce the likelihood of exposure.

Polovinkin said the fact that two attacks occurred in 2023 indicates that Dark Pink is still active and poses a constant risk to organizations, and there is evidence that the cybercriminals behind these attacks are constantly updating their existing tools in order to remain undetected.