Dark Pink: An advanced persistent threat campaign
GLOBAL cybersecurity company GroupIB has recently published its findings into “Dark Pink,” an ongoing advanced persistent threat (APT) campaign launched against high-profile targets in Cambodia, Indonesia, Malaysia, the Philippines, Vietnam, and Bosnia and Herzegovina that they believe, with moderate confidence, was launched by a new threat actor.
To date, Group-IB’s Threat Intelligence has been able to attribute seven successful attacks to this particular group from June to December 2022, with targets including military bodies, government ministries and agencies, and religious and nonprofit organizations, although the list of victims could be significantly longer.
Group-IB also noted one unsuccessful attack on a European state development body based in Vietnam.
Group-IB analysis discovered that the initial access vector for the campaign of Dark Pink (name given by Group-IB) was targeted spear-phishing emails, and the core goal of the threat actors, who leverage an almost-entirely custom toolkit, is corporate espionage, as they attempt to exfiltrate files, microphone audio, and messenger data from infected devices and networks.
Group-IB, in line with its zero-tolerance policy to cybercrime, has issued proactive notifications to all potential and confirmed targets of Dark Pink. Its researchers are continuing to uncover and analyze all the details behind this particular APT campaign.
Dark Pink goes to the core
To date, Group-IB has been unable to attribute this campaign, which leverages custom tools and some rarely-seen tactics and techniques, to any known threat actor. As a result, Group-IB believes that Dark Pink’s campaign in the second half of 2022 is the activity of an entirely new threat actor group, which has also been termed Saaiwc Group by Chinese cybersecurity researchers.
This new APT group is notable due to its specific focus on attacking branches of the military, and government ministries and agencies. Group-IB discovered that, as of December 2022, Dark Pink APT breached the security defenses of six organizations in five APAC countries (Cambodia, Indonesia, Malaysia, the Philippines and Vietnam), and one organization in Europe (Bosnia and Herzegovina). The first successful attack took place this past june, when the threat actors gained access to the network of a religious organization in Vietnam.
Following this particular breach, no other attack attributable to Dark Pink was registered until August 2022, when Group-IB analysts discovered that the threat actors had gained access to the network of a Vietnamese non-profit organization.
“Group-IB’s analysis of Dark Pink is of major significance, as it details a highly complex APT campaign launched by seasoned threat actors. The use of an almost entirely custom toolkit, advanced evasion techniques, the threat actors’ ability to rework their malware to ensure maximum effectiveness, and the profile of the targeted organizations demonstrate the threat that this particular group poses. Group-IB will continue to monitor and analyze both past and future Dark Pink attacks with the aim of uncovering those behind this campaign,” said Andrey Polovinkin, malware analyst at Group-IB.
Dark Pink APT’s recent campaign is yet another example of how individuals’ interactions with spear-phishing emails could result in the penetration of the security defenses of even the most protected organizations. GroupIB recommends solutions, such as its proprietary Business Email Protection, that could counter this threat effectively and stop malicious emails from ending up in employees’ inboxes.
That said, Group-IB urges organizations to foster a culture of cybersecurity and educate their employees on how to identify phishing emails. Group-IB’s Threat Intelligence platform led the analysis into Dark Pink, which could help organizations shore up their security posture by equipping them with the latest insights into emerging threats.