The Dark Pink APT group is a previously unknown entity targeting the government and military organisations in Europe and Asia Pacific. Based on reports, the advanced persistent threat group has already accomplished several attacks between June and December last year.
Moreover, the group debuted its operations a couple of years ago and started increasing its activities a year ago using a custom toolkit. They also designed the tool to steal essential data from compromised networks.
In addition, the group added spear-phishing emails to its attacks and a Telegram API for its command-and-control communications.
The Dark Pink APT operators utilise the job boards posing as job seekers.
Investigations reveal that the Dark Pink APT operations start by finding jobs online to create their application messages and pose as an applicant applying as an intern for a particular position.
The primary objective of the application is to launch TelePowerBot and KamiKakaBot, which could run commands sent through a Telegram bot. Subsequently, the group uses Cucky and Ctealer tools to steal troves of data and cookies saved from its target’s web browser.
Furthermore, the APT utilised multiple infection chains, where the group obtained some initial intrusions via phishing messages. These fraudulent messages contain a malicious link that redirects recipients to a downloadable malicious ISO file for malware launch.
The group also used a single GitHub account for storing malicious modules. The group then uses the modules to drop a PowerShell script malware called TelePowerBot. Furthermore, the group leveraged malicious template documents to bypass security detections.
An alternate kill chain utilised a diversion document included in the ISO archive to obtain a rogue macro-enabled template from GitHub. Lastly, the group has recently launched the [.]net version of TelePowerBot called KamiKakabot.
Dark Pink APT’s recent attacks have taken advantage of the spear-phishing tactics to spread a new custom toolkit. Hence, users should put more emphasis on the importance and effectiveness of the threat method employed by the attacks.
Organisations should further fortify their defences by utilising intelligent email security solutions to detect and mitigate the effects of phishing emails.
