Dark Pink APT Group Expands Tooling and Targets

Written by

The scope of a cyber-attack campaign from noted APT group Dark Pink is broader than first thought, with researchers identifying five new victims including one in Belgium.

The group, which has been linked to the Chinese state, was previously thought to focus its efforts mainly on southeast Asian countries. However, new victims identified by Group-IB today include one in Belgium, as well as its first targets in Thailand and Brunei.

“The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails. Once the attackers gain access to a target’s network, they use advanced persistence mechanisms to stay undetected and maintain control over the compromised system,” wrote Group-IB malware analyst Andrey Polovinkin.

“As we continued to track the group’s activity, we identified new tools, exfiltration mechanisms and victims in new industries, in countries that Dark Pink has never targeted before.”

With at least two attacks coming in 2023, it is clear the group has no intention to slow its activities. Among the updates to its tactics, techniques and procedures (TTPs) is a new version of the KamiKakaBot malware, with functionality now split into two parts: one dedicated to controlling devices and the other to stealing data.

Group-IB also found a new GitHub account which hosts modules that can be installed onto victim machines when directed to do so by malicious code. Payloads are also being distributed through the TextBin.net service, according to the report.

Polovinkin revealed that Dark Pink has exfiltrated stolen data over HTTP using a service called Webhook.

“Webhook.site is a powerful and versatile service that allows users to easily inspect, test, and debug HTTP requests and webhooks,” he explained. “With webhook.site, it is possible to set up temporary endpoints in order to capture and view incoming HTTP requests.”

Dark Pink is also continually looking for new ways to evade detection on infected machines and likely uses different LOLBin techniques to do so, the report claimed.

What’s hot on Infosecurity Magazine?