Dark Pink cyber-spies add info stealers to their arsenal, notch up more victims

Dark Pink, a suspected nation-state-sponsored cyber-espionage group, has expanded its list of targeted organizations, both geographically and by sector, and has carried out at least two attacks since the beginning of the year.

So says Singapore-based security outfit Group-IB, which claims Dark Pink has been active since mid-2021, primarily focused on victims in the Asia-Pacific region — but that appears to be changing.

Group-IB's researchers say they've identified five new Dark Pink victims since their January 2023 research on the threat group, bringing the criminals' victim list to 13. 

The latest victims include a military organization in Thailand, government agencies in Brunei and Indonesia, a non-profit in Vietnam, and an educational institution in Belgium. This potentially "suggests that the actual scope of the attacks could be even broader," the threat intel team said this week.

Additionally, two of these attacks (Brunei and Indonesia) happened this year, with the most recent malicious files uploaded to VirusTotal being detected in May. "It means that the group shows no signs of slowing down," Group-IB added.

While the gang expands its targeted victims, it's also improving its toolset to remain undetected on organizations' networks. 

Dark Pink continues to use ISO images sent in phishing emails for its initial intrusions. It also uses .DLL sideloading to launch its custom TelePowerBot and KamiKakaBot malware, according to the security researchers. Both pieces of Windows malware use encrypted messaging service Telegram to communicate with their overlords. 

According to Group-IB, the malware appears designed to steal confidential files from government and military networks, and can "infect even the USB devices attached to compromised computers." The malicious code can also get at messenger apps on infected PCs.

Dark Pink appears to have updated KamiKakaBot by splitting its functionality into two parts: controlling devices, and stealing data. The malware loads directly in memory, which helps avoid detection. And it can receive and carry out commands from the intruders to do things like steal data from web browsers, update XML files, update Telegram tokens, send bot/victim identifiers, and download and execute an arbitrary script.

• Ransomware-as-a-service groups rain money on their affiliates
• Five Eyes and Microsoft accuse China of attacking US infrastructure again
• Criminals spent 10 days in US dental insurer's systems extracting data of 9 million
• Barracuda Email Security Gateways bitten by data thieves

The data collection process, however, hasn't changed. For one thing, the malware compiles a list of files it could take from installed web browsers. Then it copies the files to a designated folder before creating a .zip archive. Group-IB notes that, with Google Chrome and Microsoft Edge, the key to decrypt encrypted logins and passwords is also extracted and added to the archive. Presumably that archive is then exfiltrated. This all hands over useful login details to the cyber-spies to exploit further.

New GitHub account and data-stealing tools

While the security shop's earlier analysis only found one GitHub account used during all of Dark Pink's attacks, the more recent research spotted a new account with the first commit dated January 9.

The repository is private, and "what makes the move noteworthy is that the repository was deactivated when the URLs pointing to files within the repositories were being uploaded to VirusTotal," Group-IB said.

Between January 9 and April 11, Dark Pink only performed 12 commits to add Powershell scripts; .zip archives; and a custom info stealer called ZMsg, which steals information from Zalo's instant messenger. Another involved a tool called Netlua that elevates privileges and launches Powershell commands.

The .zip archive analyzed by Group-IB contained an encrypted payload, signed executable, and loader.

Dark Pink also appears to have developed new methods to steal data instead of using email or Dropbox as usual. In one of its recent attacks, the miscreants used Webhook, which allowed them to set up temporary endpoints and exfiltrate the stolen data over HTTP.

In another attack, the miscreants replaced Webhook with a Windows server, although "the motive behind this change remains unclear," according to Group-IB's researchers.

The Singaporean cyber-sleuths assess that Dark Pink "poses an ongoing risk to organizations, and adds that their research shows "the cybercriminals behind these attacks keep updating their existing tools in order to remain undetected." ®