The attack was launched between June and December 2022 and has been targeting countries in the Asia-Pacific, such as Cambodia, Vietnam, Malaysia, Indonesia, and the Philippines. Along with these, one European country, Bosnia and Herzegovina was also targeted.
Details Of The Attack
The attack was first discovered by Albert Priego, a Group-IB malware analyst, and was labeled ‘The Dark Pink.’ This APT group has also been named Saaiwc Group by a Chinese cybersecurity researcher.
Researchers from Group-IB found activity on Dark Pink's GitHub account, which suggests that Dark Pink's operations may be traced as far back as mid-2021. However, from mid to late 2022, the group's activity increased significantly.
In regards to the attack, the Group-IB stated in a blog post that the Dark Pink operators are “leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups.” Furthermore, Group-IB wrote of a custom toolkit "featuring four different infostealer: TelePowerBot, KamiKakaBot, Cucky, and Ctealer."
These infostealers are being utilized by the threat group to extract important documents stored inside government and military networks.
Group-IB discovered one of Dark Pink's spear-phishing emails that were used to obtain the initial access. In this case, the threat actor purported to be a candidate for a PR and communications intern position. The threat actor may have scanned job boards and used this information to construct highly relevant phishing emails when they mention in the email that they found the position on a jobseeker website.
This simply serves to highlight how precisely these phishing emails are crafted in to appear so dangerous.
Reportedly, Dark Pink possesses the ability to exploit the USB devices linked to compromised systems. Moreover, Dark Pink can also access the messengers installed on the infected computers.
Dark Pink APT Group Remains Active
The Dark Pink APT group still remains active. Since the attacks continued until the end of 2022, Group-IB is still investigating the issue and estimating its size.
The company hopes to unveil the operators’ identity, and states in the blog post that the initial research conducted on the incident should "go a long way to raising awareness of the new TTPs utilized by this threat actor and help organizations to take the relevant steps to protect themselves from a potentially devastating APT attack."