The Dark Pink innovative persistent danger (APT) actor has been joined to a clean set of attacks focusing on governing administration and military services entities in Southeast Asian nations with a malware identified as KamiKakaBot.
Dark Pink, also named Saaiwc, was first profiled by Group-IB before this yr, describing its use of custom resources this kind of as TelePowerBot and KamiKakaBot to operate arbitrary instructions and exfiltrate sensitive data.
The menace actor is suspected to be of Asia-Pacific origin and has been lively considering the fact that at minimum mid-2021, with an increased tempo noticed in 2022.
“The most current assaults, which took place in February 2023, were being virtually similar to former assaults,” Dutch cybersecurity company EclecticIQ disclosed in a new report printed very last 7 days.
“The most important distinction in the February campaign is that the malware’s obfuscation routine has enhanced to improved evade anti-malware measures.”
The assaults engage in out in the type of social engineering lures that include ISO graphic file attachments in email messages to provide the malware.
The ISO picture includes an executable (Winword.exe), a loader (MSVCR100.dll), and a decoy Microsoft Word doc, the latter of which arrives embedded with the KamiKakaBot payload.
The loader, for its aspect, is built to load the KamiKakaBot malware by leveraging the DLL facet-loading technique to evade security protections and load it into the memory of the Winword.exe binary.
KamiKakaBot is mainly engineered to steal details stored in web browsers and execute distant code using Command Prompt (cmd.exe), even though also embracing evasion methods to mix in with target environments and hinder detection.
WEBINARDiscover the Concealed Potential risks of Third-Occasion SaaS Apps
Are you mindful of the challenges involved with 3rd-party application accessibility to your company’s SaaS applications? Sign up for our webinar to understand about the types of permissions staying granted and how to limit risk.
RESERVE YOUR SEAT
Persistence on the compromised host is realized by abusing the Winlogon Helper library to make malicious Windows Registry important modifications. The gathered knowledge is subsequently exfiltrated to a Telegram bot as a ZIP archive.
“The use of authentic web providers as a command-and-command (C2) server, these kinds of as Telegram, stays the selection one alternative for various menace actors, ranging from normal cyber criminals to innovative persistent menace actors,” the Amsterdam-based mostly enterprise explained.
“The Dark Pink APT team is extremely very likely a cyber espionage-determined threat actor that especially exploits relations concerning ASEAN and European nations to build phishing lures all through the February 2023 campaign.”
Observed this write-up appealing? Observe us on Twitter and LinkedIn to study far more exclusive information we article.
Some parts of this article are sourced from:
thehackernews.com