Group-IB, a global cybersecurity firm headquartered in Singapore, yesterday published a new update into the APT (advanced persistent threat) group codenamed Dark Pink, revealing that a total of 13 organizations in 9 countries have now fallen victim to this malicious actor.
Dark Pink’s operations were detailed in depth by Group-IB’s Threat Intelligence unit in a January 2023 blog post, and at this time, researchers linked the group to attacks on 7 organizations in the Asia-Pacific region and 1 in Europe. Group-IB experts have since discovered 5 new Dark Pink victims, and the geographic scope of the group’s operations are wider than previously thought, as organizations in Brunei, Thailand, and Belgium were all hit by Dark Pink attacks. Continued analysis has revealed that this group is still active, as Dark Pink attacked a government ministry in Brunei this past January and a government agency in Indonesia as recently as April 2023. Additionally, Group-IB researchers were able to attribute three other attacks from 2022 to this particular APT group.
The initial access vector for Dark Pink attacks continues to be spear-phishing emails, and Group-IB researchers noted in their January 2023 blog that the group utilized an almost-entirely custom toolkit to exfiltrate files and messenger data from infected devices and networks. Since then, Group-IB experts can reveal that Dark Pink APT has updated many of these custom tools, changing their functionalities in order to allow the group to slip undetected past defense mechanisms of cybersecurity systems. For example, the group’s custom KamiKakaBot module, designed to read and execute commands from the threat actors via Telegram, is still stored on the filesystem of infected devices, but it is now divided into two distinct parts — one that controls the device and the other that steals sensitive data. Dark Pink also continues to use an MSBuild utility to launch KamiKakaBot in the infection chain.
Group-IB’s Threat Intelligence unit has discovered Dark Pink’s new account on GitHub, which was created as soon as the first information about the APT group was published in the public domain this past January. The threat actors can issue commands to infected machines to download files from this GitHub account, and Group-IB researchers found 12 commits to the new account performed between January 9 and April 11, 2023. Recent attacks have also seen the group exfiltrate stolen data over a HTTP protocol using Webhook service, and they have also leveraged functionalities of an MS Excel add-in to ensure the persistence of TelePowerBot (a simpler version of KamiKakaBot written in PowerShell). In line with Group-IB’s zero-tolerance policy to cybercrime, all confirmed and potential victims of Dark Pink attacks were issued with proactive warnings.
Andrey Polovinkin, Malware Analyst at Group-IB
Dark Pink APT shows no sign of slowing down. APT groups are renowned for their responsiveness and ability to adapt their custom tools to continually avoid detection, and Dark Pink is no exception. The profile of the affected targets underscores the significant danger that Dark Pink poses for both public- and private-sector actors. Group-IB will continue to analyze all Dark Pink activity and ensure that confirmed and potential victims are informed.
