Dark Pink Deploys Custom Malware Against Government & Military Entities

Category: Threat Actor Activity | Industries: Government, Military, Non-profit, Religion | Level: Strategic | Source: Group-IB

Security researchers from Group-IB shared research of a new threat group Dark Pink (aka Saaiwc Group), targeting government, military, religious and non-profit organizations in the APAC region and Europe. Countries targeted include Bosnia, Cambodia, Indonesia, Malaysia, the Philippines, and Vietnam. Group-IB attributes seven successful attacks to Dark Pink from June to December 2022, as well as one failed attack against a European state agency. "Dark Pink’s first activity, which we tie to a Github account leveraged by the threat actors, was recorded in mid-2021, and the first attack attributable to this APT group took place in June 2022. Their activity peaked in the final three months of 2022 when they launched four confirmed attacks." Dark Pink used "the same Github account for uploading malicious files for the entire duration of the APT campaign to date, which could suggest that they have been able to operate without detection for a significant period of time."

Attacks initiated by Dark Pink use job-themed spear-phishing emails. "There was evidence to suggest that the threat actors behind Dark Pink scanned online job vacancy portals and crafted unique emails to victims that were advertising vacancies." The majority of malware deployed by the operators was custom and self-made, only one public tool the PowerSploit/Get-MicrophoneAudio tool was discovered. Cyberespionage is assessed as the primary motive for the APT group, collecting sensitive documents and capturing audio using the host's microphone. For data exfiltration, the threat actors route the data to DropBox, Telegram, or email. Two outlook email addresses, blackpink.301@outlook[.]com, and blackred.113@outlook[.]com were used by Dark Pink operators for data exfiltration.

‍