Dark Pink – master of disguise or superagents of cybercrime?

A group of cybercriminals called Dark Pink, also known as the Saaiwc Group, is connected by researchers of cybersecurity with five new attacks directed against various organizations in Belgium, Brunei, Indonesia, Thailand and Vietnam. The victims of the hackers were educational institutions, government agencies, military bodies and non -profit organizations.

Dark Pink is an advanced hacker group that, apparently, has an Asia-Pacific origin and specializes in attacks against objects located mainly in East Asia and, to a lesser extent, in Europe.

Dark Pink attacks are still based on ISO-images delivered to the target device using an e-mail phishing. The initial infection follows the DLL Sideloading, launching the branded bacdors of cybercriminals – Telepowerbot and Kamikakabot. Bacdors, in turn, provide various functions for kidnapping confidential data from infected hosts.

“After the attackers gain access to the network, they use advanced access mechanisms to remain unnoticed and maintain control over the compromised system” – said in the technical report Andrey Polinkin, analyst on harmful programs in Group-Ib.

The Group-IB report also describes some key changes in the sequence of Dark Pink attacks in order to difficult to analyze researchers. There are also some improvements in Kamikakabot, which performs Telegram Bota commands controlled by hackers. The latest version of Kamikakabot, in particular, divides its functionality into two separate parts: one to control devices, the other to collect valuable information.

Group-Ib also reported that its specialists managed to identify a new GitHub account associated with Dark Pink. This account contains PowerShell scripts, ZIP archives and own malicious grouping tools loaded this year.

In addition to using Telegram to implement C2-functional, Dark Pink was seen in the abduction of data on the HTTP protocol using the Webhook.site service. Another noticeable feature of the group is the use of Microsoft Excel harmful addition to ensure the constant access of Telepowerbot at the infected host.

“Using Webhook.site, you can create temporary endpoints for intercepting and viewing incoming HTTP checks,” Polinkin noted, adding that it was this functionality that attackers were successfully used to expert data.

Dark Pink’s espionage motives are still a mystery. Nevertheless, it is assumed that the geography of the victims of the hacker group can be wider than previously expected. The fact that since mid -2021, hackers managed to attribute only 13 attacks (taking into account five new victims), indicates their attempt to maintain a low security profile. This is also a sign that cyberbandites carefully choose their goals and hold the number of attacks at a minimum to reduce the likelihood of disclosure. And in between attacks, hackers are finalizing their tools in order to continue to go unnoticed.

/Reports, release notes, official announcements.