Threats targeting government agencies and other high-profile institutions in multiple countries in the Asia-Pacific region are suspected of having been perpetrated by a new group called the Control Group. Researchers believe that it relies on novel malware to steal confidential information.
Security researchers refer to this group as Dark Pink (group-IB) or Saaiwc Group (anheng hunting labs), suggesting that it utilizes unconventional tactics, techniques, and procedures (TTPs).
The computer hacker’s custom toolkit can be used to create software and steal information from compromised computers via USB drives. The actor used DLL side-loading and event-triggered execution modules in order to get its payloads on compromised computers.
Group-IB’s report states that threat actors are targeting victims in order to seize browser files, obtain messenger access, exchange files, and collect audio recordings from the infected device.
Considered an advanced persistent threat (APT), the Dark Pink campaign launched at least seven successful attacks between June 2018 and December 2022.
Dark Pink’s typical initial attack vector is generally spear-phishing emails disguised as job applications, which tricked the victim into downloading a malicious ISO image file. In the second stage, Group-IB saw multiple variations on the attack chain.
One of them used an all-inclusive ISO file to base a decoy file, a signed executable, and a harmful DLL file, which then led to deploying either of the two custom information stealers used by the group (Ctealer or Cucky) via DLL side-loading. After that, a registry implant called TelePowerBot was configured.
Another attack framework uses a Microsoft Office document (.DOC) within an ISO file. When the victim opens the .DOC, a template with a malicious macro is fetched from GitHub, tasked with loading a copy of TelePowerBot and Windows registry changes.
A third attack was observed on December 2022 that was quite identical to the previous one. However, rather than loading TelePowerBot, the malicious ISO file and the DLL side-loading method load another custom malware researchers call KamiKakaBot, designed to read and execute commands.
Traveler and Cucky are info-stealing programs written in C and .NET, respectively. They scour the user’s web browser trying to find and extract target passwords, browsing history, last visited logins and cookies, and more like Chrome, Microsoft Edge, CocCoc, Chromium, Brave, Atom, Uran, Sputnik, Slimjet, Epic Privacy, Amigo, Vivaldi, Kometa, Nichrome, Maxthon, Comodo Dragon, Avast Secure Browser, and Yandex Browser.
As an administrator, TelePowerBot is an instrument that runs by means of PowerShell script at boot and connects to a given Telegram channel from where it runs PowerShell commands.
During an infection, threat actors perform standard commands (e.g. net share, Get-SmbShare) to retrieve network resources that are connected via infected devices. If the hard drive of similar capacity is revealed, they will begin exploring it to find files that may be of interest and possibly exfiltrate them. Group-IB
Primarily in exchange, there can be straightforward console tools or elaborate PowerShell scripts that enable sideway movement through USB removable drives.
KamiKaKaBot is the .NET version of TelePowerBot, which also includes information stealing capabilities as well as support for data stored in Chrome and Firefox browsers.
In addition to these tools, Dark Pink also uses a script to record audio through the microphone every 60 seconds. The audio is saved as a zipped archive in the Windows temporary folder before it is exfiltrated to the Telegram bot.
Likewise, the threat actor utilizes a technologically sophisticated exfiltration mechanism known as „ZMsg,“ which he’s downloaded from GitHub. The utility steals texts from Viber, Telegram, and Zalo and stores them in TEMP KoVosRLvmU, waiting to be exfiltrated.
A previous report from Chinese cybersecurity company Anheng Hunting Labs, who track Dark Pink as the Saaiwc Group, alluded to attack chains and mentioned one of them, in which a Microsoft Office template with malicious macro code was used as a means to exploit an older, high-risk vulnerability identified as CVE-2017-0199.
Group-IB believes that the Dark Pink organization is responsible for seven cyberattacks, though it is certain this figure could be higher.
The company is empowered to notify the seven organizations by moving Dark Pink to repoWatch status. The team will also continue monitoring the threat actor’s suspected operations.
Found this article interesting? Follow Terraeagle on Facebook, Twitter, and LinkedIn to read more exclusive content we post.