Go to listing page

Dark Pink APT Group Uses TelePowerBot and KamiKakaBot

Dark Pink APT Group Uses TelePowerBot and KamiKakaBot
The Dark Pink APT group has been associated with five new attacks targeting different entities based in East Asia and Europe. The attacks were observed between February 2022 and April 2023. The targets include government agencies, educational institutions, non-profit organizations, and military bodies.

Dive into the details

Dark Pink, aka Saaiwc Group, is believed to have originated in Asia Pacific, with attacks mostly targeting entities based in Belgium, Indonesia, Vietnam, and Thailand.
  • The group uses a set of custom malware tools, such as TelePowerBot and KamiKakaBot, that can steal sensitive information from the targeted hosts via multiple kill chains.
  • The attack begins with spear-phishing emails for initial intrusion. After gaining access, the actor uses persistence mechanisms to stay hidden and maintain control over compromised systems.
  • Further, a new GitHub account associated with the threat actor has been identified hosting ZIP archives, PowerShell scripts, and custom malware for further installation onto victim machines.

The recent attack from the Dark Pink APT group brings the total attack count to 13 (along with five new victims) since mid-2021.

There have been some significant modifications to the Dark Pink attack sequence to hinder analysis. Furthermore, improvements have been made to KamiKakaBot, which runs commands from a Telegram channel.

Change in tactics 

  • The latest version of KamiKakaBot now splits its functionality into two distinct parts. The first part is used for controlling devices, while the second part is used for gathering important information.
  • The APT group exfiltrates stolen data over HTTP using a service called webhook[.]site. Earlier, it was using emails or public cloud services, such as DropBox for this purpose. 
  • To maintain the persistence of TelePowerBot inside the compromised host, instead of checking the status of the bot at every startup, it now uses an Excel add-in library.

Conclusion

The recent changes in tactics, particularly the focus on anti-analysis capabilities and targeted sectors, indicate that the Dark Pink APT group is motivated to keep a low profile among security agencies while targeting high-value entities. To combat such focused threat groups, organizations are urged to stay alert and implement a multi-layer defense strategy.
Cyware Publisher

Publisher

Cyware