The Dark Pink advanced persistent threat (APT) actor has been linked to a fresh set of attacks targeting government and military entities in Southeast Asian countries with a malware called KamiKakaBot.
Dark Pink, also called Saaiwc, was first profiled by Group-IB earlier this year, describing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate sensitive information.
The threat actor is suspected to be of Asia-Pacific origin and has been active since at least mid-2021, with an increased tempo observed in 2022.
“The latest attacks, which took place in February 2023, were almost identical to previous attacks,” Dutch cybersecurity company EclecticIQ disclosed in a new report published last week.
“The main difference in the February campaign is that the malware’s obfuscation routine has improved to better evade anti-malware measures.”
The attacks play out in the form of social engineering lures that contain ISO image file attachments in email messages to deliver the malware.
The ISO image includes an executable (Winword.exe), a loader (MSVCR100.dll), and a decoy Microsoft Word document, the latter of which comes embedded with the KamiKakaBot payload.
The loader, for its part, is designed to load the KamiKakaBot malware by leveraging the DLL side-loading method to evade security protections and load it into the memory of the Winword.exe binary.
KamiKakaBot is primarily engineered to steal data stored in web browsers and execute remote code using Command Prompt (cmd.exe), while also embracing evasion techniques to blend in with victim environments and hinder detection.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.
RESERVE YOUR SEAT
Persistence on the compromised host is achieved by abusing the Winlogon Helper library to make malicious Windows Registry key modifications. The gathered data is subsequently exfiltrated to a Telegram bot as a ZIP archive.
“The use of legitimate web services as a command-and-control (C2) server, such as Telegram, remains the number one choice for different threat actors, ranging from regular cyber criminals to advanced persistent threat actors,” the Amsterdam-based company said.
“The Dark Pink APT group is very likely a cyber espionage-motivated threat actor that specifically exploits relations between ASEAN and European nations to create phishing lures during the February 2023 campaign.”
