Dark Pink Steps Up Cyberattacks, Targets Expand

Cyberwarfare is a big threat. It's when countries use hacking to attack each other. Fraud management is also important. This is stopping people from stealing money online. Cybercrime is a lot like regular crime, but it's done using computers. It includes things like hacking into websites and stealing personal information. All of these things can cause big problems for individuals, companies, and even countries. It's important to take them seriously and to protect ourselves from them.

Dark Pink is a new threat actor. They are updating their tools. This is to avoid getting caught. They are also expanding their targets. Dark Pink is targeting Southeast Asia.

Live Webinar happening soon! Learn about Education Cybersecurity Best Practices such as protecting your devices, combating ransomware, managing budgets, and finding necessary resources. Register for the webinar now!

Security researchers at Tencent, a Chinese company, have tracked a threat actor called Saaiwc Group. They've discovered that the group uses a malicious Microsoft Excel add-in to stay on computers. This is a new tactic for the group. Group-IB, an international cybersecurity company, has reported this new development.

Dark Pink has attacked 13 victims. It started in mid-2021 in Asia-Pacific. Government agencies in Brunei and Indonesia were targeted this year. A school in Belgium and a Thai military agency were attacked too. Vietnam, Philippines, Malaysia, and Cambodia had government, military and religious organizations attacked. A ministry in Bosnia and Herzegovina was also targeted.

The Excel add-in doesn't talk to the command-and-control system every time a device is turned on. It only talks to it when Excel is started. The Dark Pink malware gets the Excel extension from the group's GitHub page during the infection. Dark Pink also puts decryption in its files to avoid sandbox analysis and detection.

In March, EclecticIQ, a Dutch cybersecurity company, saw Dark Pink actors using better obfuscation routines to avoid anti-malware measures. The APT group was interested in diplomatic relations between Europe and Asia-Pacific countries. EclecticIQ thinks that this is connected to Chinese state hackers. (You can read more about the Dark Pink APT Group being "very likely" back in action.)

Dark Pink still uses the same way of attacking. They make people download an ISO file with a fake Word document, an executable file and a bad DLL file. The DLL file helps the malware go into the computer. It uses MSBuild to start KamiKakaBot which gets orders from the hackers on a special Telegram channel. They can make KamiKakaBot do many bad things like steal web data or download bad scripts or change the way the Telegram bot is found.

The Dark Pink group moved to a different account on GitHub. They did this after security researchers found out about their stuff. They put their PowerShell scripts, zip files, and bad software there.

Group-IB looked at the GitHub repository and found a tool that can take information from Zalo. They also found a tool that hackers can use to do bad things like launch PowerShell commands. Dark Pink stopped the repository when VirusTotal got the file links.