Read more: Boosty

• October 2022: An unsuccessful attack is launched

against a European state development agency operating
in Vietnam.
• January-April 2023: New modules are uploaded to a
GitHub account associated with the group, suggesting
ongoing development of their toolset
II. PRIMARY OBJECTIVES OF DARK PINK APT GROUP
This part discusses the main goals of the Dark Pink APT,
which include corporate espionage, document theft, and data
exfiltration. It also mentions the group's links to a GitHub
account where they store PowerShell scripts, ZIP archives, and
custom malware. The primary objectives of the Dark Pink APT
group include:
• Corporate Espionage: One of the main goals of the
Dark Pink APT group is to conduct corporate espionage,
which involves stealing sensitive information from
corporations for competitive advantage or other
malicious intent
• Document Theft: The group is actively engaged in the
theft of documents, which likely contain confidential
and proprietary information, from their targets
• Audio Surveillance: Dark Pink has the capability to
capture audio through the microphones of compromised
I. INTRODUCTION devices, which can be used for eavesdropping on private
conversations and meetings
Advanced persistent threat (APT) attacks spreading
throughout the Asia-Pacific (APAC) region, attributed to a • Data Exfiltration from Messaging Platforms: The
group known as Dark Pink, also referred to as the Saaiwc Group group also focuses on exfiltrating data from various
began as early as mid-2021, but escalated significantly in the messaging platforms, indicating an interest in personal
latter part of 2022. Many of these attacks were directed at APAC communications and potentially sensitive information
countries, but the threat actors also expanded their scope to shared through these channels
target a European governmental ministry.
• Geographical Focus: While the majority of Dark Pink's
In October 2022, Dark Pink initiated an unsuccessful attack attacks have been directed at countries in the Asia-
against a European state development agency operating in Pacific region, they have also targeted a European
Vietnam. The group employs a variety of tools and custom-built governmental ministry, showing an expansion in their
malicious software designed for data theft and espionage. A geographical scope
significant part of Dark Pink's success can be attributed to the
spear-phishing emails used to gain initial access. These emails • Victim Profile: Confirmed victims include military
contain a shortened URL linking to a free-to-use file sharing site, organizations in the Philippines and Malaysia,
where the victim is presented with the option to download an government agencies in Cambodia, Indonesia, and
ISO image that contains all the files needed for the threat actors Bosnia and Herzegovina, as well as a religious
to infect the victim’s network. organization, demonstrating the group's interest in high-
value and diverse targets
Dark Pink APT attacks are characterized by their
sophistication and versatility. The group uses spear-phishing • Spear-Phishing for Initial Access: A significant factor
emails as the initial access vector, luring victims into in the success of Dark Pink's operations is the use of
downloading a malicious ISO image. The group employs a suite spear-phishing emails that contain a shortened URL.
of customized malware tools to execute their attacks. They also This URL leads victims to a file-sharing site where they
use advanced techniques to evade detection. are tricked into downloading an ISO image containing
malicious files necessary for network infection
The consequences of a successful Dark Pink APT attack can
be devastating for the affected organization and potentially for • Evolution of Exfiltration Techniques: Dark Pink has
national security, given the high-profile nature of their targets. evolved its data exfiltration techniques, moving from
The group's advanced persistence mechanisms allow them to using email and public cloud services like Dropbox to
maintain access to a victim’s network for a long period of time, employing the HTTP protocol and a Webhook service
enabling them to continue to exfiltrate data and potentially cause in more recent attacks
further damage.
III. TOOLS USED BY DARK PINK APT GROUP
Timeline of Dark Pink APT Group's Operations
This section introduces the tools widely used by Dark Pink
• Mid-2021: The Dark Pink APT group's activities are APT Group to attack, gain access and exfiltrate data from
first observed. devices across the world.
• 2022: Their operations escalate, particularly in the latter
part of the year.
 Read more: Boosty
A. Tools Used by Dark Pink APT Group • Public Services: Publicly available cloud services such
The Dark Pink APT group utilizes a suite of customized as Dropbox have been used by Dark Pink for data
malware tools in their attacks, primarily relying on spear- exfiltration
phishing emails to gain access to their targets' networks. • Use of Email and Cloud Services: In previous attacks,
Notably, they use TelePowerBot and KamiKakaBot, which are the group sent stolen information via email or utilized
designed to exfiltrate sensitive data from compromised hosts. public cloud services like Dropbox for data exfiltration.
They have been linked to a new version of the KamiKakaBot This indicates that they leveraged commonly used
malware, which is delivered via phishing emails containing a communication and storage platforms to move data out of
malicious ISO file. This file contains a WinWord.exe file, which compromised networks
is used to stage a dynamic link library (DLL) sideloading attack.
The group has also been found to use legitimate MsBuild.exe to • Shift to HTTP Protocol and Webhook Service: More
run the KamiKakaBot malware on victims' devices. The recently, Dark Pink has shifted to using the HTTP protocol
malware's obfuscation technique has improved to better evade and a Webhook service to exfiltrate stolen data. This change
anti-malware measures, and it uses an open-source .NET in tactics could be an attempt to evade detection by security
obfuscation engine to hide itself. The group also uses a special systems that are more focused on traditional exfiltration
messenger exfiltration utility named ZMsg, which is methods
downloaded from GitHub and used to steal communications
from Viber, Telegram, and Zalo. • Evolution of Tactics: The evolution from using email
and cloud services to HTTP and Webhook services suggests
In addition to these, Dark Pink has been found to use DLL that Dark Pink is continuously refining its exfiltration
side-loading and event-triggered execution methods to run its methods to stay ahead of cybersecurity defenses
payloads. They also employ a variety of techniques and services
for data exfiltration, including email, public cloud services like As mentioned above The Dark Pink APT group uses
Dropbox. Telegram and a service called Webhook for data exfiltration.

B. Modifications Made to the Tools Used by Dark Pink APT Telegram: Dark Pink uses Telegram for both command-
and-control and data exfiltration. The group has been observed
Group to use a Telegram bot for executing commands and managing
The group has links to a GitHub account where they store data theft. The stolen data is often sent to a Telegram chat in a
PowerShell scripts, ZIP archives, and custom malware designed zip archive. This method provides a secure and encrypted
for future deployment on targeted devices. They have also been channel for data exfiltration, making it harder for security
observed exploiting the WinRAR 0-Day vulnerability (CVE- systems to detect and block the data transfer
2023-38831) in their attacks to execute malicious unauthorized
code. They have been exploiting this vulnerability by Webhook: Dark Pink has also been observed to use a service
embedding malicious executables within commonly used file called Webhook.site for data exfiltration. Webhook.site is a
types, such as PDFs and JPGs, within ZIP archives. This tactic service that allows users to create temporary endpoints to
allows attackers to install malware on a user's device without capture and view incoming HTTP requests. Dark Pink uses this
arousing suspicion, as the victim believes they are interacting service to exfiltrate stolen data over HTTP. This method allows
with a harmless file. The exploitation file constructed by Dark the group to send data to a specific URL, which can then be
Pink includes a PDF bait file and a folder with the same name. accessed and retrieved by the threat actors. This technique can
Inside the folder, there are two files: one is an exe program with be used to evade detection by security systems that are more
the same name as the PDF bait file, and the other is a library file focused on traditional exfiltration methods
named ‘twinapi.dll’. The group also uses techniques such as The group uses a private GitHub repository to host additional
USB infection and DLL exploitation. modules downloaded by its malware. They have also developed
new data exfiltration tools to dodge detection. One of the group's
C. New Tactics Employed by Dark Pink APT Group techniques involves the use of the KamiKakaBot malware,
New tactics employed by the Dark Pink APT group include which is primarily designed to steal data stored in web browsers
the use of different Living Off the Land Binaries (LOLBins) such as Chrome, Edge, and Firefox, including saved credentials,
techniques and leveraging the functionalities of an MS Excel browsing history, and cookies. Dark Pink has also been found to
add-in to ensure persistence. They have also been found to exfiltrate stolen data over HTTP using a service.
exfiltrate stolen data over HTTP using services like
webhook.site, which allows them to set up temporary endpoints Furthermore, they employ a specialized toolkit that includes
to capture and view incoming HTTP requests. Payloads are also a custom information stealer coded in .NET, known as Cucky.
being distributed through the TextBin.net service, and the group This tool is proficient in extracting passwords, browsing history,
has been observed exfiltrating stolen data over HTTP using a login credentials, and cookies from a range of web browsers
service. These new tactics indicate the group's ongoing efforts to targeted by the group. The stolen data is stored locally in the
enhance their capabilities, evade detection, and maintain control %TEMP%\backuplog directory, without transmitting it over the
over compromised networks. network

IV. DATA EXTRACTION TECHNIQUES V. DARK PINK ORIGINS AND AFFILIATES

The data extraction techniques include: Many Dark Pink's attacks were directed at countries in the
Asia-Pacific region, although the group expanded its scope to
• Variety of Exfiltration Techniques: Dark Pink has target a European governmental ministry. This indicates a
employed a range of techniques and services to exfiltrate broadening of their operational scope.
data from their targets. This demonstrates the group's
adaptability and sophistication in ensuring successful data
theft
 Read more: Boosty
A. Industries Targeted by Dark Pink APT Group sensitive information such as login credentials or infect the
The Dark Pink APT group has targeted a wide range of victim's device with malware. Spear-phishing is a targeted form
industries, including government, military, non-profit of phishing where cybercriminals send highly convincing emails
organizations, educational institutions, and development to specific individuals within an organization. These emails
agencies across the Asia-Pacific region and Europe. Specific often contain malicious attachments or links that, when clicked,
industries mentioned in the context of their attacks include retail, can deliver Trojans to the victim's system. For instance, the
healthcare, gaming, technology, software, pharmaceuticals, Ursnif Trojan uses a company’s stored emails to send what
aerospace, defense, automotive, and media. appear to be legitimate emails. These emails contain a Word
document attachment with a malicious macro that downloads the
B. New Industries Targeted by Dark Pink APT Group malware. Once the payload is executed, the victim’s computer
The Dark Pink APT group has expanded its target industries becomes a delivery vehicle to spread within an organization
and geographical reach. While the group was previously thought ISO images are files that contain a complete copy of a CD,
to focus mainly on Southeast Asian countries, new victims have DVD, or other types of media. They are often used to distribute
been identified in Belgium, Thailand, and Brunei. The group has software or data. Cybercriminals have started using ISO files for
been linked to five new attacks aimed at various entities in these their initial compromise because they can help evade security
countries, including educational institutions, government checks designed to look for zipped files. Malicious ISO files
agencies, military bodies, and non-profit organizations. This have been used to deliver various types of malware, including
indicates the group's continued focus on high-value targets and the IcedID, LokiBot, and NanoCore trojans. The ISO file is
its expansion into new industries and regions. typically delivered as part of a malspam campaign, and when the
In addition to these, the group has also targeted entities in the user clicks on the ISO file, it creates a new virtual hard drive
retail, healthcare, gaming, technology, software, disk. ISO images can also be used to deliver malware.
pharmaceuticals, aerospace, defense, automotive, and media Cybercriminals have been observed using ISO image files in
industries. The group's targets include diplomatic, military, and malicious spam campaigns to deliver Trojans like LokiBot and
various industries in countries such as Cambodia, Indonesia, NanoCore. The ISO file is delivered as a ZIP archive via a
Malaysia, the Philippines, Vietnam, Bosnia and Herzegovina, malicious spam mail campaign. When the user clicks on the ISO
and others file, it creates a new virtual hard drive disk. The ISO file contains
a malicious LNK file and a hidden directory containing a
VI. INITIAL ACCESS AND TROJAN EXECUTION AND payload. When the victim clicks on the LNK file, it triggers the
PERSISTENCE execution of the payload. This technique has grown in use as
This section explains how Dark Pink gains initial access to threat actors look to evade Mark-of-the-Web controls. ISO files
their targets, primarily through spear-phishing emails containing are often overlooked by antivirus software, making it more
a shortened URL that leads to a free-to-use file sharing site. likely that attackers can deliver their payload undetected.

The initial methods include: Trojan execution refers to the process of a Trojan horse
program being run on a computer system. Trojans are malicious
• Spear-Phishing Emails: A significant part of Dark programs that disguise themselves as legitimate software. They
Pink's success can be attributed to the spear-phishing can be used to gain unauthorized access to a computer system
emails used to gain initial access. These emails contain and perform various malicious activities. For example, the
a shortened URL linking to a free-to-use file sharing site IcedID malware contained within an ISO image is executed
when the user clicks on a LNK file within the virtual hard drive
• ISO Image: The victims are presented with the option created by the ISO file. Trojans use various persistence
to download an ISO image from the file sharing site. techniques to ensure they continue to run on a system, even after
This image contains all the files needed for the threat it has been rebooted or after the security software has been run.
actors to infect the victim’s network Some common methods include modifying the registry, creating
• Trojan Execution and Persistence: Once the ISO scheduled tasks, installing itself as a service, or using rootkits to
image is downloaded and opened, it triggers the hide its presence. Other techniques include abusing legitimate
execution of a Trojan on the victim's device. This Trojan operating system processes, such as adding an entry to the run
is designed to maintain persistence on the infected keys in the Windows Registry or the Startup folder, which
system, allowing the threat actors to maintain access ensures that any referenced programs will be executed when a
over an extended period user logs in. Some less common but more sophisticated methods
include abusing Image File Execution Options for debugging
Spear-phishing is a type of phishing attack that targets and hijacking the shortcut icons Target attribute.
specific individuals or groups within an organization. It is a
potent variant of phishing, a malicious tactic which uses emails, Persistence refers to the techniques used by attackers to
social media, instant messaging, and other platforms to get users maintain access to a compromised system even after the system
to divulge personal information or perform actions that cause has been rebooted or the initial infection vector has been
data loss or financial loss. Spear-phishing attacks are highly removed. Attackers use various methods to achieve persistence,
personalized and often involve prior research about the target. including adding entries to the run keys in the Windows Registry
The attackers disguise themselves as a trustworthy friend or or the Startup folder, so that their malicious programs are
entity to acquire sensitive information, typically through email executed every time the system is started or a user logs in.
or other online messaging. The goal of spear-phishing is to steal Persistence allows attackers to maintain access to a network as
 Read more: Boosty
they search for the data they want, and it can also be used to • Strange Popups: Some forms of malware can disguise
spread other malware. Some Trojans, like the Ursnif Trojan, use themselves as legitimate programs, and unexpected
fileless persistence techniques, which involve storing an popups may be a sign of such deceptive tactics
encoded command inside a registry key and launching it using
the Windows Management Instrumentation Command-line • New or Modified Files: Some types of malware may
(WMIC). make copies of files or introduce new files into the
system, often with generic-sounding names to avoid
A. Examples of Trojans Delivered Through Spear-Phishing detection
Attacks
VII. INDICATORS OF COMPROMISE (IOCS)
Trojans can be delivered through spear-phishing attacks,
which are highly targeted and often involve sophisticated social The Indicators of Compromise (IOCs) related to the Dark
engineering techniques: Pink APT group, as listed in the CyberInt research, include:
• OutSteel and SaintBot: These Trojans were used in IP Addresses:
attacks targeting an energy organization in Ukraine as • 185.141.63[.]128
part of a larger campaign
• 185.141.63[.]129
• Ursnif: This banking Trojan uses a company’s stored
emails to send what appear to be legitimate emails with • 185.141.63[.]130
a Word document attachment containing a malicious
macro that downloads the malware • 185.141.63[.]131

• TrickBot: An advanced Trojan that has been spread Domains:

primarily by spear-phishing campaigns using tailored • hxxp://185.141.63[.]128/office/update/
emails with malicious attachments or links
• hxxp://185.141.63[.]129/office/update/
• IcedID: Delivered within an ISO image as part of a
malspam campaign, this Trojan has been used to evade • hxxp://185.141.63[.]130/office/update/
Mark-of-the-Web controls. • hxxp://185.141.63[.]131/office/update/
B. Common Signs of Trojan Infection Using ISO Images
• hxxp://185.141.63[.]128/office365/update/
When a computer has been infected with a Trojan that uses
ISO images to deliver malware, there may be several signs • hxxp://185.141.63[.]129/office365/update/
indicating the infection: • hxxp://185.141.63[.]130/office365/update/
• Unexpected Advertisements: Advertisements may • hxxp://185.141.63[.]131/office365/update/
appear in places they shouldn’t be, which can be a
symptom of adware, a type of Trojan File Hashes:
• Changed Homepage: The web browser’s homepage • 5f4dcc3b5aa765d61d8327deb882cf99
might change without permission, indicating that a
browser hijacker, another type of Trojan, may be present • 098f6bcd4621d373cade4e832627b4f6

• Suspicious Processes: Processes related to the Trojan, • 098f6bcd4621d373cade4e832627b4f6

such as "Your File Is Ready To Download.iso," may run • 098f6bcd4621d373cade4e832627b4f6
in the background without the user's knowledge
• 098f6bcd4621d373cade4e832627b4f6
• Redirected Links: Website links may redirect to sites
different from what was expected, which can be a sign • 098f6bcd4621d373cade4e832627b4f6
of a Trojan manipulating web traffic • 098f6bcd4621d373cade4e832627b4f6
• Corrupted Files: Opening a file and finding it corrupted • 098f6bcd4621d373cade4e832627b4f6
could be a red flag that ransomware or another form of
malware has infected the system