robsonphoto – stock.adobe.com
A new advanced persistent threat (APT) group has launched sophisticated cyber attacks against government and military targets in Southeast Asia, underscoring the growth of cyber threats against high-profile organisations in the region.
Dubbed Dark Pink, the new threat actor, uncovered by cyber security company Group-IB, is notable due to their focus on attacking branches of the military and government agencies.
As of December 2022, the group had breached the cyber defences of six organisations in ASEAN, including those in Cambodia, Indonesia, Malaysia, Philippines, and Vietnam. The first successful attack took place in June 2022, when the threat actors accessed the network of a religious group in Vietnam.
After the initial breach, no other attack attributable to Dark Pink was registered until August 2022, when Group-IB analysts found that the threat actors had gained access to the network of a Vietnamese non-profit organisation.
Subsequently, Dark Pink ramped up their activities in the last four months of the year, attacking a branch of the Philippines military in September, a Malaysian military branch in October, followed by breaches of government organisations in Cambodia and Indonesia in November and December, respectively.
Group-IB’s threat intelligence experts also discovered an unsuccessful attack on a European state development agency based in Vietnam in October 2022.
In their research on Dark Pink, Group-IB analysts detailed the entire victim journey from initial infection to data exfiltration. The attacks were reportedly carried out using a set of custom tools and sophisticated tactics, techniques and procedures (TTPs) that made a major contribution to their successful attacks over the past seven months.
Attacks were typically launched with targeted spear-phishing emails, including one where they posed as a job seeker applying for an internship position. In the email, the threat actor mentioned that they found the vacancy on a jobseeker website, suggesting that the threat actors had been scanning job boards to craft a unique phishing email relevant to the targeted organisation.
Upon clicking on a link that contained the documents of the job seeker, the victim was presented with an option to download a malicious ISO image that contained three types of files: a signed executable file, a non-malicious decoy document (some ISO files seen by Group-IB had more than one), and a malicious DLL (dynamic link library) file.
However, these file types differed in their content and functionality, and Group-IB analysts uncovered three separate kill chains, underscoring the sophistication of this particular APT group.
The first kill chain analysed by Group-IB saw threat actors packing the three types of files into an ISO image, and after mounting the image, the DLL file would be run using a technique known as DLL side loading.
In another kill chain, threat actors leveraged GitHub to automatically download a template document containing macro codes that ran custom malware.
The most recent kill chain was observed in December 2022, when the threat actors launched their malware with the assistance of an XML file containing an MSBuild project, which executed .NET code to launch custom malware.
Dark Pink’s custom malware could be used to exfiltrate data from victims through Telegram, Dropbox and email.
Andrey Polovinkin, malware analyst at Group-IB, said Dark Pink’s APT campaign was highly complex, and that the use of a custom toolkit, advanced evasion techniques and their ability to rework their malware to maximise effectiveness underscored the significant threat they could pose.
“Group-IB will continue to monitor and analyse both past and future Dark Pink attacks with the aim of uncovering those behind this campaign,” he added.
Project, program and portfolio management are related, but they represent three distinct disciplines. Learn about the …
Tech innovation accelerated during the economic recession of 2008, and 2023 will be no different. Industry watchers predict where…
There were plenty of warnings about metaverse hype, but at CES 2023 there’s business interest in its potential to build 3D …
The new partnership aims to provide organizations with increased visibility and risk detection capabilities for operational …
This Risk & Repeat podcast episode discusses new details of the Rackspace ransomware attack, as well as the questions remaining …
Reduce the success of lateral movement attacks by performing these eight key cybersecurity activities at strategic, operational …
An API enables communication between two applications, while a network API provides communication between the network …
Distributed IT and hybrid work create network complexity, which is driving adoption of AIOps, network and security convergence, …
As multi-cloud networking becomes an industry standard, enterprises increasingly seek tools to wrangle data, services and …
More data growth and tightening financial conditions are coming. Protect data center assets in 2023 through environmental …
Quantum computing has lots of potential for high compute applications. But the technology is still in the early stages, so it may…
Data lakes and data warehouses both store big data. When choosing a lake or warehouse, consider factors such as cost and what …
Data governance software can help organizations manage governance programs. Here’s a look at the key features and capabilities of…
Data observability provides holistic oversight of the entire data pipeline in an organization. Use the five pillars to ensure …
Numerous tools are available to use in big data applications. Here’s a look at 18 popular open source technologies, plus …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information