robsonphoto -

New APT group targets ASEAN governments and militaries

The Dark Pink advanced persistent threat group used custom malware to exfiltrate data from high-profile targets through spear-phishing emails last year, according to Group-IB

This article can also be found in the Premium Editorial Download: CW Asia-Pacific: CW APAC: Buyer’s guide to SASE

A new advanced persistent threat (APT) group has launched sophisticated cyber attacks against government and military targets in Southeast Asia, underscoring the growth of cyber threats against high-profile organisations in the region.

Dubbed Dark Pink, the new threat actor, uncovered by cyber security company Group-IB, is notable due to their focus on attacking branches of the military and government agencies.

As of December 2022, the group had breached the cyber defences of six organisations in ASEAN, including those in Cambodia, Indonesia, Malaysia, Philippines, and Vietnam. The first successful attack took place in June 2022, when the threat actors accessed the network of a religious group in Vietnam.

After the initial breach, no other attack attributable to Dark Pink was registered until August 2022, when Group-IB analysts found that the threat actors had gained access to the network of a Vietnamese non-profit organisation.

Subsequently, Dark Pink ramped up their activities in the last four months of the year, attacking a branch of the Philippines military in September, a Malaysian military branch in October, followed by breaches of government organisations in Cambodia and Indonesia in November and December, respectively.

Group-IB’s threat intelligence experts also discovered an unsuccessful attack on a European state development agency based in Vietnam in October 2022.

Modus operandi

In their research on Dark Pink, Group-IB analysts detailed the entire victim journey from initial infection to data exfiltration. The attacks were reportedly carried out using a set of custom tools and sophisticated tactics, techniques and procedures (TTPs) that made a major contribution to their successful attacks over the past seven months.

Attacks were typically launched with targeted spear-phishing emails, including one where they posed as a job seeker applying for an internship position. In the email, the threat actor mentioned that they found the vacancy on a jobseeker website, suggesting that the threat actors had been scanning job boards to craft a unique phishing email relevant to the targeted organisation.

Upon clicking on a link that contained the documents of the job seeker, the victim was presented with an option to download a malicious ISO image that contained three types of files: a signed executable file, a non-malicious decoy document (some ISO files seen by Group-IB had more than one), and a malicious DLL (dynamic link library) file.

However, these file types differed in their content and functionality, and Group-IB analysts uncovered three separate kill chains, underscoring the sophistication of this particular APT group.

The first kill chain analysed by Group-IB saw threat actors packing the three types of files into an ISO image, and after mounting the image, the DLL file would be run using a technique known as DLL side loading.

Increase in threats using ISO images

Michael Tal, technical director of Votiro, said there has been an increase in threat actor groups leveraging ISO files. Often called ISO images, these are archives that contain an identical copy or data found on an optical disc. Inside ISO files, threat actor groups will weaponise it with a malicious doc. file that usually has a malicious macro.

Once opened, it will execute on the victim's machine and run the code in the background to start the infection. Those files can be sent as an attachment via email but can also be delivered in multiple ways such as cloud storages, Azure blobs or AWS S3, collaboration tools such as OneDrive, Box, Google Drive and even messaging programmes such as Slack or Teams.Any point where you can deliver files is a weak spot threat actors will try to infiltrate.

In another kill chain, threat actors leveraged GitHub to automatically download a template document containing macro codes that ran custom malware.

The most recent kill chain was observed in December 2022, when the threat actors launched their malware with the assistance of an XML file containing an MSBuild project, which executed .NET code to launch custom malware.

Dark Pink’s custom malware could be used to exfiltrate data from victims through Telegram, Dropbox and email.

Andrey Polovinkin, malware analyst at Group-IB, said Dark Pink’s APT campaign was highly complex, and that the use of a custom toolkit, advanced evasion techniques and their ability to rework their malware to maximise effectiveness underscored the significant threat they could pose.

“Group-IB will continue to monitor and analyse both past and future Dark Pink attacks with the aim of uncovering those behind this campaign,” he added.

Read more about cyber security in ASEAN

Read more on Hackers and cybercrime prevention

Data Center
Data Management