A newly discovered APT Group dubbed Dark Pink was observed targeting government and military organizations mostly based in Southeast Asia and Europe.
Based on the official report by Group-IB, the APT group has launched 7 successful attacks between June to December of 2022.


A. Nature of the Attack

The initial infection starts with a targeted spear-phishing email using a unique phishing email depending on their targeted organization.

There are 3 documented methods used after the initial access to the targeted assets.

1). First Method – Threat actors pack all of the described above files, including a malicious DLL, onto the ISO itself, and after mounting, the DLL will be run using the attack known as DLL Side-Loading, which will use to drop an information stealer (Ctealer or Cucky) that may use to steal passwords, history, logins, and cookies from dozens of web browsers.

2). Second Method – After the initial infection, threat actors leverage Github to download a templated malicious document to the affected system.

3). Third Method – The most recent kill chain leveraged by the threat actors (in December 2022) sees their malware launched with the assistance of an XML file, which contains an MSBuild project that includes a task to execute .NET code in order to launch their custom malware.

For communication by the threat actor to the affected system, the adversaries used two custom modules, named by Group-IB as TelePowerBot and KamiKakaBot. These two pieces of malware are designed to read and execute commands from a threat actor-controlled Telegram channel via Telegram bot.


B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • For users, stay cautious when opening an email. Do not click on suspicious links.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Having a Security Email Gateway to monitor your emails within your organization is nice to have, especially if it’s a corporate network.
  • Use an anti-virus software and/or host-based detection tool running with the latest version to protect your data and devices.
  • In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
  • For additional information, kindly refer to the official report
    • https://www.group-ib.com/media-center/press-releases/dark-pink-apt/
    • https://www.bleepingcomputer.com/news/security/new-dark-pink-apt-group-targets-govt-and-military-with-custom-malware/#.Y75gdFjZDS0.twitter