The Dark Pink advanced persistent threat (APT) group, also known as Saaiwc, has been linked to a new wave of attacks on government and military entities in Southeast Asia.
The attacks used a malware called KamiKakaBot, which is designed to steal data stored in web browsers and execute remote code using Command Prompt, while also evading detection. Dark Pink is believed to be of Asia-Pacific origin and has been active since mid-2021, with an increased tempo observed in 2022.
The latest attacks, which took place in February 2023, were almost identical to previous attacks, according to Dutch cybersecurity company EclecticIQ.
The attacks played out as social engineering lures containing ISO image file attachments in email messages to deliver the malware. The ISO image includes an executable, a loader, and a decoy Microsoft Word document, the latter of which comes embedded with the KamiKakaBot payload.
Persistence on the compromised host is achieved by making malicious Windows Registry key modifications using the Winlogon Helper library. The gathered data is then exfiltrated to a Telegram bot as a ZIP archive.
The use of legitimate web services such as Telegram as a command-and-control (C2) server is the number one choice for different threat actors, from regular cybercriminals to advanced persistent threat actors, according to EclecticIQ.
The Dark Pink APT group is likely a cyber espionage-motivated threat actor that exploits relations between ASEAN and European nations to create phishing lures.
Organizations in Southeast Asia should remain vigilant against social engineering lures containing ISO image file attachments in email messages, and they should use anti-malware measures and leverage third-party threat intelligence to detect and respond to attacks.
They should also use multi-factor authentication, segmentation, and network-based security controls to prevent the spread of malware and reduce the attack surface.
Additionally, organizations should establish a robust incident response plan and practice incident response exercises to minimize the impact of attacks.
