[Nulled] » Information security » Group-IB uncovered Dark Pink APT,
January 16 2023

Group-IB uncovered Dark Pink APT,

web3 16-01-2023, 12:54 Information security 165

Group-IB uncovered Dark Pink APT, involved in attacks on government agencies and military facilities in the Asia-Pacific region using special malware to steal information.

Previously, ART has already come to the attention of Chinese researchers from Anheng Hunting Labs, who track the grouping as Saaiwc Group. The report describes some chains of attacks, one of which is implemented using a Microsoft Office template with malicious macros to exploit the old and dangerous CVE-2017-0199.

Group-IB noted that Dark Pink is characterized by unique TTP, and the user-defined set of tools found in the attacks can be used to steal information and distribute malware via USB drives.

The attacker uses unpublished DLL downloads and event-triggered methods to extract payloads on the victims' systems.

The attacker's goal is to steal information from browsers, gain access to messengers, exfiltration of documents and interception of acoustic information from the microphone of an infected device.

According to resellers, during the period from June to December 2022, Dark Pink managed to implement at least seven successful attacks.

A typical initial vector of Dark Pink attacks is phishing emails on the subject of hiring, which fraudulently forced the victim to download a malicious ISO image file.

But other variants of the chain of attacks have also been identified. In particular, the actor also used an ISO file with a decoy document, a signed executable file and a malicious DLL, which led to the deployment of one of the two user stillers by side loading the DLL.

Cucky and Ctealer are special information theft software written in .NET and C++, respectively, aimed at extracting passwords, browsing history, saved login and cookies from all known web browsers.

At the next stage, a registry implant called TelePowerBot was reset, which runs through a script when the system boots and connects to the Telegram channel, from where it receives PowerShell commands to execute.

As a rule, commands allow you to run simple console tools or complex PowerShell scripts that provide lateral movement through removable USB drives.

Another option included a Microsoft Office document (.DOC) inside an ISO file, when opened from GitHub, a template with a malicious macro was extracted, which implemented downloading TelePowerBot and making changes to the Windows registry.

The third chain of attacks, practiced in December 2022, was identical to the first. However, instead of TelePowerBot, another special malware was loaded, which the researchers call KamiKakaBot, designed to execute commands.

KamiKakaBot is .NET is a version of TelePowerBot that also has information theft capabilities targeting data stored in Chrome and Firefox-based browsers.

In addition to these tools, Dark Pink also used a script to record audio through a microphone in a minute interval. The data is saved as a ZIP archive in a temporary Windows folder, after which it is transmitted via a Telegram bot.

In addition, the attacker used a special ZMsg utility to exfiltrate information from messengers, which steals correspondence from Viber, Telegram and Zalo.

The results of the analysis of the activity of Dark Pink allowed Group-IB to state the success of seven attacks with a high probability, but the researchers believe that there could have been significantly more of them.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: web3
  • Date of publication: 16 January 2023 12:54
  • Publication category(s): Information security
  • Number of views of the publication: 165
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
Symantec researchers

Symantec researchers report details about the activities of a cybercrime group they track as Bluebottle, revealing

Read more
16 January 2023
Information security
After Microsoft

After Microsoft implemented, starting in July 2022, the blocking of Visual Basic for Applications (VBA) macros by

Read more
16 January 2023
Information security
CircleCI forcibly

CircleCI forcibly changes GitHub OAuth tokens for its customers after a cyber incident.

Read more
16 January 2023
Information security
A group of researchers

A group of researchers from Texas A&M University, Temple University, the New Jersey Institute of Technology,

Read more
16 January 2023
Information security
Microsoft's January

Microsoft's January PatchTuesday was released with fixes for a record 98 documented software vulnerabilities.

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    November 2024    »
MonTueWedThuFriSatSun
 123
45678910
11121314151617
18192021222324
252627282930 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +16 Total articles 6747
  • +12 Comments 4077
  • +30 Users : 5859