Dark Pink TTPs

Dark Pink Toolset

Dark Pink employs a variety of tools and custom-built malicious software designed for data theft and espionage. Their specialized toolkit comprises:

  • Cucky: A straightforward custom information stealer coded in .NET. It is proficient in extracting passwords, browsing history, login credentials, and cookies from a range of web browsers targeted by the group. Cucky stores the pilfered data locally in the %TEMP%backuplog directory, without transmitting it over the network.
  • Ctealer: Similar in function to Cucky but coded in C/C++.
  • TelePowerBot: A registry implant that activates during system boot through a script and establishes a connection with a Telegram channel. It awaits PowerShell commands from this channel, which it then executes.
  • KamiKakaBot: This is a .NET version of TelePowerBot with additional data-stealing capabilities to enhance its espionage functions.

Dark Pink Techniques & Procedures

The complexity of the Dark Pink campaign becomes evident when considering its diverse kill chains. The actors orchestrating these attacks displayed remarkable adaptability, creating tools in various programming languages. This versatility enabled them to pursue the compromise of defense infrastructure and establish a lasting presence on the networks of their targets.

Initial access:

A large part of the success of Dark Pink was down to the spear-phishing emails used to gain initial access.  The emails contain a shortened URL linking to a free-to-use file sharing site, where the victim is presented with the option to download an ISO image that contains all the files needed for the threat actors to infect the victim’s network.

Trojan execution and persistence:

Dark Pink utilizes a suite of customized malware tools, particularly TelePowerBot and KamiKakaBot, with the primary purpose of extracting confidential information from compromised systems. KamiKakaBot can execute commands via a Telegram bot managed by the threat actor. The bot’s functionality is divided into two parts: one for device control and another for harvesting valuable data. These malicious DLL files, housing one of these two malware components, can be concealed within ISO images distributed during spear-phishing campaigns, which ultimately results in the control of the targeted machine by Dark Pink.

GitHub Usage:

The group has links to a GitHub account where they store PowerShell scripts, ZIP archives, and custom malware designed for future deployment on targeted devices.

Data extraction:

Dark Pink employed a variety of techniques and services for data exfiltration. On their previous attacks, stolen information was sent via email or through public cloud services like Dropbox. However, in a recent attack, Dark Pink utilized the HTTP protocol and a Webhook service to exfiltrate the stolen data.

Dark Pink Origins and Affiliates

According to different researchers, the time zone of the attacks correlated with Vietnam. Considering these details, the most we can discern about the actor’s origin is that they likely come from the Southeast Asia region.

In addition, there is an assumption according to other researchers that Dark Pink is related to the OCEAN BUFFALO group. OCEAN BUFFALO (aka APT32, OceanLotus, SeaLotus) is a Vietnam-based targeted intrusion adversary reportedly active since at least 2012.

Dark Pink IOCs

Files:

 | [Update] Counterdraft on the MoU on Rice Trade.zip.iso |6b7c4ce5419e7cde80856a85559203dca5219d05115cdd6c1598f2e789149c34 |

| wwlib.dll |8dc3f6179120f03fd6cb2299dbc94425451d84d6852b801a313a39e9df5d9b1a |

| ~[INDONESIA] COUNTERDRAFT MOU ON RICE TRADE INDONESIA-INDIA 15052023.DOC |78ec064bce850d0e0a022cdbb84a6200e62f92e8e575ebbd4a9b764dc1dce771 |

| MS Project file |54675c16c1fd97227cb41892431e1f9f8b0b153225b5576445d3ba24860dcfd9 |

| ccc.gif | 115a66aba1068be11e549c4194dda5f338684ae37ffbfc9045c0bae488a5acf4|

| AccHelper.xll |6d620e86fd37c9b92a0485b0472cb1b8e2b1662fbb298c4057f8d12ad42808b4 |

| ANALYS32.xll |d23784c30a56f402bb71d116ef8b5bcc8609061be0ecc6d1014686ff4227197f |

 

Cucky:

MD5: 926027F0308481610C85F4E3E433573B

SHA1: 24F65E0EE158FC63D98352F9828D014AB239AE16

SHA256: 9976625B5A3035DC68E878AD5AC3682CCB74EF2007C501C8023291548E11301

 

ACtealer Loader:

MD5: 728AFA40B20DF6D2540648EF845EB754

SHA1: D8DF672ECD9018F3F2D23E5C966535C30A54B71D

SHA256: C60F778641942B7B0C00F3214211B137B683E8296ABB1905D2557BFB245BF775

 

Packed ctealer:

MD5: 7EAF1B65004421AC07C6BB1A997487B2

SHA1: 18CA159183C98F52DF45D3E9DB0087E17596A866

SHA256: E3181EE97D3FFD31C22C2C303C6E75D0196912083D0C21536E5833EE7D108736

MD5: 732091AD428419247BCE87603EA79F00

SHA1: 142F909C26BD57969EF93D7942587CDF15910E34

SHA256: E45DF7418CA47A9A4C4803697F4B28C618469C6E5A5678213AB81DF9FCC9FD51

 

URLs:

– hXXps://webhook[.]site/288a834b-fd92-4531-82a5-b41e907daa56

– hXXps://webhook[.]site/2b733e31-70bb-4777-be4a-41a98f3559bf

– hXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/xxx.gif

– hXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/ccc.gif

– hXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/DDDD.gif

– hXXp://raw.githubusercontent[.]com/peterlyly/zxcv/main/eeeee.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/eeeee.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/xxx.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/eee.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/ccc.gif

– hXXps://raw.githubusercontent[.]com/peterlyly/zxcv/main/bbb.gif

– hXXps://textbin[.]net/raw/1tmfbi0bep

– hXXps://textbin[.]net/raw/d7hs6e68ox

– hXXp://176.10.80[.]38:8843/upload

– hXXp://176.10.80[.]38:8843/11.msi

– hXXp://176.10.80[.]38:8843/1.zip

 

CVEs

MITRE IDs

Technique ID
Initial Access
Phishing T1566
Phishing: Spearphishing Attachment T1566.001
Execution
User Execution T1204
Command and Scripting Interpreter T1059
Command and Scripting Interpreter: PowerShell T1059.001
Windows Management Instrumentation T1047
System Services T1569
System Services: Service Execution T1569.002
Persistence
Browser Extensions T1176
Event Triggered Execution T1546
Event Triggered Execution: Change Default File Association T1546.001
Boot or Logon Autostart Execution T1547
Scheduled Task/Job T1053
Privilege Escalation
Abuse Elevation Control Mechanism T1548
Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002
Defense Evasion
Masquerading T1036
Masquerading: Match Legitimate Name or Location T1036.005
Obfuscated Files or Information T1027
Obfuscated Files or Information: Software Packing T1027.002
Virtualization/Sandbox Evasion T1497
Deobfuscate/Decode Files or Information T1140
Trusted Developer Utilities Proxy Execution T1127
Template Injection T1221
Hijack Execution Flow T1574
Hijack Execution Flow: DLL Side-Loading T1574.002
Credential Access
Credentials from Password Stores T1555
Discovery
Query Registry T1012
File and Directory Discovery T1083
System Information Discovery T1082
Collection
Audio Capture T1123
Screen Capture T1113
Command and Control
Data Encoding T1132
Web Service T1102

Source: https://cyberint.com/blog/research/dark-pink-apt-attacks/