Dark Pink APT Group Leverages TelePowerBot and KamiKakaBot in Sophisticated Attacks
31.5.23 APT The Hacker News
The threat actor known as Dark Pink has been linked to five new attacks aimed at various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023.
This includes educational institutions, government agencies, military bodies, and non-profit organizations, indicating the adversarial crew's continued focus on high-value targets.
Dark Pink, also called Saaiwc Group, is an advanced persistent threat (APT) actor believed to be of Asia-Pacific origin, with attacks targeting entities primarily located in East Asia and, to a lesser extent, in Europe.
The group employs a set of custom malware tools such as TelePowerBot and KamiKakaBot that provide various functions to exfiltrate sensitive data from compromised hosts.
"The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails," Group-IB security researcher Andrey Polovinkin said in a technical report shared with The Hacker News.
"Once the attackers gain access to a target's network, they use advanced persistence mechanisms to stay undetected and maintain control over the compromised system."
The findings also illustrate some key modifications to the Dark Pink attack sequence to impede analysis as well as accommodate improvements to KamiKakaBot, which executes commands from a threat actor-controlled Telegram channel via a Telegram bot.
The latest version, notably, splits its functionality into two distinct parts: One for controlling devices and the other for harvesting valuable information.
The Singapore-headquartered company said it also identified a new GitHub account associated with the threat actor that hosts PowerShell scripts, ZIP archives, and custom malware for subsequent installation onto victim machines. These modules were uploaded between January 9, 2023, and April 11, 2023.
Besides using Telegram for command-and-control, Dark Pink has been observed exfiltrating stolen data over HTTP using a service called webhook[.]site. Another notable aspect is the use of an Microsoft Excel add-in to ensure the persistence of TelePowerBot within the infected host.
"With webhook[.]site, it is possible to set up temporary endpoints in order to capture and view incoming HTTP requests," Polovinkin noted. "The threat actor created temporary endpoints and sent sensitive data stolen from victims."
Dark Pink, its espionage motives notwithstanding, remains shrouded in mystery. That said, it's suspected the hacking crew's victimology footprint could be broader than previously assumed.
While the latest discovery brings the attack tally to 13 (counting the five new victims) since mid-2021, they also indicate the adversary's attempts to maintain a low profile for stealthiness. They are also a sign of the threat actors carefully selecting their targets and keeping the number of attacks at a minimum to reduce the likelihood of exposure.
"The fact that two attacks were executed in 2023 indicates that Dark Pink remains active and poses an ongoing risk to organizations," Polovinkin said. "Evidence shows that the cybercriminals behind these attacks keep updating their existing tools in order to remain undetected."