A new APT group named Dark Pink has targeted military and government agencies in many Asia-Pacific countries to extract valuable documentation.
Dark pink APT group targets military and government
A series of Advanced Persistent Threat (APT) attacks were launched by a group known as Dark Pink between June and December 2022. The attacks were launched against several countries in Asia-Pacific, including Cambodia, Vietnam, Malaysia, Indonesia, and the Philippines. A European country, Bosnia and Herzegovina, was also targeted.
The Dark Pink attacks were first discovered by Albert Priego, a Group-IB malware analyst. In a Group-IB blog post regarding incidents, it was stated that Dark Pink’s malicious operators “exploit a new set of tactics, techniques, and procedures rarely used by previously known APT groups”. Going into more detail, Group-IB described a custom toolkit that includes four different information thieves: TelePowerBot, KamiKakaBot, Cucky, and Ctealer.
These information thieves are used by Dark Pink to extract valuable documents stored within government and military networks.
The initial vector for Dark Pink’s attacks was reportedly phishing campaigns, in which operators posed as job candidates. Group-IB also noted that Dark Pink has the ability to infect USB devices attached to compromised computers. Additionally, Dark Pink can access messengers installed on infected computers.
Group-IB shared an infographic about the Dark Pink attacks on its Twitter page, as seen below.
While most of the attacks took place in Vietnam (one of which failed), a total of five additional attacks also took place in other countries.
Dark Pink’s operators are currently unknown
As of this writing, the operators behind Dark Pink remain unknown. However, Group-IB said in the aforementioned post that “a mix of nation-state threat actors from China, North Korea, Iran and Pakistan” have been linked to APT attacks in the countries of ‘Asia Pacific. But it was noted that it appears Dark Pink appeared as early as mid-2021, with an increase in activity in mid-2022.
Group-IB also noted that the purpose of these attacks is often to commit espionage, rather than to make a financial profit.
The Dark Pink APT group remains active
In its blog post, Group-IB informed readers that at the time of writing (January 11, 2023), the Dark Pink APT group remains active. As the attacks only ended at the end of 2022, Group-IB is still investigating the issue and determining its scope.
The company hopes to uncover the operators of these attacks and said in its blog post that preliminary research conducted into the incident should “go a long way in raising awareness of the new TTPs used by this threat actor and helping organizations take action.” appropriate”. steps to take to protect against a potentially devastating APT attack”.
APT groups are a huge security threat
Advanced Persistent Threat (APT) groups pose a huge risk to organizations around the world. As cybercrime methods continue to increase in their sophistication, it is unclear what type of attack APT groups will launch next, and what consequences this will have on the target.
