Dark Pink APT Group Utilizes TelePowerBot and KamiKakaBot in Advanced Attacks
The threat actor known as Dark Pink has been linked to five new attacks targeting entities in Belgium, Brunei, Indonesia, Thailand and Vietnam between February 2022 and April 2023.
This includes educational entities, government agencies, military agencies, and non-profit organizations, demonstrating the enemy crew’s continued focus on high-value targets.
Dark Pink, also known as Saaiwc Group, is an advanced persistent threat actor (APT) believed to have Asian-Pacific origins, with attacks targeting entities located primarily in East Asia and, to a lesser extent, in Europe.
The group uses a suite of specialized malware tools such as TelePowerBot and KamiKakaBot which provide various functions for extracting sensitive data from compromised hosts.
“The group uses a variety of sophisticated customization tools, deploying multiple destruction chains relying on spear-phishing emails,” Group-IB security researcher Andrey Polovinkin said in a technical report shared with The Hacker News.
“Once an attacker gains access to a target network, they use sophisticated persistence mechanisms to remain undetected and maintain control of the compromised system.”
The findings also illustrate some of the major modifications to Dark Pink’s attack sequence to hinder analysis as well as accommodate improvements to KamiKakaBot, which executes commands from Telegram channels controlled by threat actors via Telegram bots.
The latest version, in particular, divides its functionality into two distinct parts: One for controlling the device and the other for harvesting valuable information.
The Singapore-headquartered company also identified a new GitHub account associated with accounts containing PowerShell scripts, ZIP archives and custom malware committed between January 9, 2023 to April 11, 2023.
As well as using Telegram for command-and-control, Dark Pink has been observed extracting stolen data over HTTP using a service called webhook(.) site. Another important aspect is the use of the Microsoft Excel add-in to ensure persistence of TelePowerBot within the infected host.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
“With webhook(.) sites, you can set up temporary endpoints to capture and view incoming HTTP requests,” notes Polovinkin. “Threat actors create temporary endpoints and send sensitive data stolen from victims.”
Dark Pink, despite her espionage motives, remains shrouded in mystery. That said, the victimization trail of the hacking crew is allegedly more extensive than previously thought.
The fact that the adversary has been linked to just 13 attacks (including five new casualties) since mid-2021 speaks to a low profile effort for secrecy. It is also a sign of threat actors carefully selecting their targets and keeping the number of attacks to a minimum to reduce the chance of exposure.
“The fact that two attacks were carried out in 2023 shows that Dark Pink remains active and poses an ongoing risk to the organization,” said Polovinkin. “Evidence suggests that the cybercriminals behind these attacks are continuously updating their existing tools to remain undetected.”
