Several government and military organizations in Asia and Europe are under attack by an advanced persistent threat (APT) actor.

The threat actor known as Dark Pink has been active since at least mid-2021 and has launched seven successful attacks against high-profile targets since June 2022.

Dark Pink successfully breached military and government agencies, religious organizations, and non-profit organizations between June and December 2022. Six countries were targeted: Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, the Philippines, and Vietnam.

A cyberattack was also launched against a Vietnamese state development agency by the hacking group at the same time.

Dark Pink’s Tactics and Techniques

Several tactics, techniques, and procedures (TTPs) used by the threat actor have not been seen before in previously known APT groups, including the execution of malware triggered by file type associations and sideloading DLLs.

The Dark Pink malware infects USB drives connected to the victim’s computer via PowerShell scripts, employs custom information stealers (Cucky and Ctealer), and communicates with infected devices through the Telegram API.

This malware performs corporate espionage, steals documents, captures sound from infected devices’ mics, and exfiltrates data from messengers. In spear-phishing, the hacking group uses job application-themed links to entice victims to download malicious ISO images. The APT scans online job vacancy portals to tailor emails to victims for relevant information.

The attacker distributes an ISO image file that contains malicious DLL files. The image also includes a legitimate-looking executable file that is signed by the attacker, as well as a decoy document that appears to be a resume. The executable file is designed to trick the victim into thinking it is a Word document containing a resume, but it actually loads the malicious DLL files.

Dark Pink employed three distinct execution chains by sideloading a malicious dll to execute TelePowerBot, KamiKakaBot, and Ctealer or Cucky information stealers. After compromising the network, Dark Pink harvests data and moves laterally in the network.

Furthermore, the attackers register a WMI event handler to download a malware dropper when the victim connects a USB drive. Files are downloaded from the threat actors’ GitHub account, and USB drives are loaded with LNK files. ZIP archives are then used to export data to Dropbox or the attacker’s Telegram bot.

Additionally, the APT bypasses User Account Control (UAC), modifies Windows Defender settings, and records microphone audio on infected devices using the PowerSploit module Get-MicrophoneAudio.