In an article published on their blog on May 8, the researchers from the BlackBerry Threat Research and Intelligence team described how attacks make use of documents with information catered to their interests that, when opened, leverages a remote template injection issue to deliver malicious payloads.
The campaign's first phase, identified last November, targets Pakistani targets with a server-side polymorphic attacks, while a later phase, discovered earlier this year, employs phishing techniques to spread malicious lure documents to victims.
While, rather than using malicious macron with documents to disseminate malware, which is frequently the case when documents are used as lures, the APT uses the CVE-2017-0199 vulnerability to deliver the payloads.
Attackers have been utilizing the Server-side polymorphism as a way to evade detection by AV tools. The researchers noted that it accomplishes this by utilizing malicious code that modifies its appearance through encryption and obfuscation, ensuring that no two samples seem the same and are therefore difficult to analyze.
“The attack can fool defenders because it serves the victim with a new sample each time a link is clicked,” says Dmitry Bestuzhev, senior director of cyber-threat intelligence at BlackBerry. “In this case, each new download has a new hash, which “effectively breaks hash-based detections used by security operations centers (SOCs) and some endpoint scanners,” he says.
“Since there’s a new hash each time, there is no information on a given sample on public multi scanners like VirusTotal unless each new sample is uploaded over and over for further analysis[…]So it makes life harder for the victims because of the lack of information on public sandboxes and other-like security services,” Bestuzhev continues.
Blackberry researchers evaluated the campaign's numerous documents, which were located on an attacker-controlled server and distributed to victims. Researchers first came across one with the subject line "GUIDELINES FOR BEACON JOURNAL - 2023 PAKISTAN NAVY WAR COLLEGE (PNWC)," and in early December identified another that claimed to be a letter of offer and acceptance "for the purchase of defense articles, defense services, or both."
In both of these cases, “The name of the file ‘file.rtf’ and the file type are the same; however, the contents, file size and the file hash are different[…]This is an example of server-based polymorphism, where each time the server responds with a different version of file, so bypassing the victim’s antivirus scanner (presuming the antivirus uses signature-based detection),” they added.
In case the user does not fall under the Pakistani IP range, 8 byte RTF file that contains a single string. In contrary, if the user is within the Pakistani IP range, the server then returns the RTF payload, varying between 406KB to 414KB in size.
Early in March, the researchers found a new malicious document connected to the prior attack that had been transmitted via phishing emails. This discovery suggested that Turkey had become a new target country for SideWinder. The servers were put up so that a victim in Turkey could get a second-stage payload, according to the researchers, who discovered them in mid-March.
While Southeast Asian regions like Pakistan and Sri Lanka have always been prime targets of SideWinder, them targeting victims in Turkey makes sense, considering their geopolitical conditions where the Turkish Government has been backing Pakistan, sparking criticism from India, according to the researchers.
While polymorphic attacks overall can be difficult to defend against, detection and prevention strategies based on behavior and hashes can be effectively used against them, Bestuzhev notes.
“The key for organizations to mitigate these attacks”, Bestuzhev adds, “is not to focus on volatile indicators of compromise but on meaningful tactics, techniques, and procedures (TTPs) and behaviors in the system or code blocks covered by machine learning technologies.”
The attack was launched between June and December 2022 and has been targeting countries in the Asia-Pacific, such as Cambodia, Vietnam, Malaysia, Indonesia, and the Philippines. Along with these, one European country, Bosnia and Herzegovina was also targeted.
The attack was first discovered by Albert Priego, a Group-IB malware analyst, and was labeled ‘The Dark Pink.’ This APT group has also been named Saaiwc Group by a Chinese cybersecurity researcher.
Researchers from Group-IB found activity on Dark Pink's GitHub account, which suggests that Dark Pink's operations may be traced as far back as mid-2021. However, from mid to late 2022, the group's activity increased significantly.
In regards to the attack, the Group-IB stated in a blog post that the Dark Pink operators are “leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups.” Furthermore, Group-IB wrote of a custom toolkit "featuring four different infostealer: TelePowerBot, KamiKakaBot, Cucky, and Ctealer."
These infostealers are being utilized by the threat group to extract important documents stored inside government and military networks.
Group-IB discovered one of Dark Pink's spear-phishing emails that were used to obtain the initial access. In this case, the threat actor purported to be a candidate for a PR and communications intern position. The threat actor may have scanned job boards and used this information to construct highly relevant phishing emails when they mention in the email that they found the position on a jobseeker website.
This simply serves to highlight how precisely these phishing emails are crafted in to appear so dangerous.
Reportedly, Dark Pink possesses the ability to exploit the USB devices linked to compromised systems. Moreover, Dark Pink can also access the messengers installed on the infected computers.
The Dark Pink APT group still remains active. Since the attacks continued until the end of 2022, Group-IB is still investigating the issue and estimating its size.
The company hopes to unveil the operators’ identity, and states in the blog post that the initial research conducted on the incident should "go a long way to raising awareness of the new TTPs utilized by this threat actor and help organizations to take the relevant steps to protect themselves from a potentially devastating APT attack."
A government agency or a business could be the target, and the information could be stolen or used to do additional harm. When attempting to penetrate a high-value target, an APT may be launched against the systems of one entity. APTs have been reported to be carried out by both state actors and private criminals.
Several organizations closely monitor the threat actor groups that pose these APTs. CrowdStrike, a security company that monitors over 170 APT groups, claims to have witnessed a nearly 45% rise in interactive infiltration efforts between year 2020 and 2021. Nation-state espionage activities are now a strong second in frequency, although (financial) e-crime is still the most frequently identified motive.
An APT comprises of mainly three main reasons:
Since the threat is established to both evade detection and acquire sensitive information, each of these steps may entail several steps and be patiently carried out over an extended period of time.
Successful breaches may operate covertly for years; yet, some acts, including jumping from a third-party provider to the ultimate target or carrying out a financial exfiltration, may be carried out very rapidly.
APTs have a reputation for using deception to avoid giving proper, direct credit for their work. An APT for one country could incorporate language from another country into its code to confuse investigators.
Investigating teams may as well have close relationships with state-intelligence agencies, leading some to raise questions pertaining to the objectivity of their findings.
Amidst this, the tactics, techniques, and procedures (TTPs) of APTs are up for constant updates, in response to the continuously changing environment and countermeasures. “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors,” says Trellix’s Head of Threat Intelligence.
List of key threats
New APTs based on advanced techniques are, by nature, generally operating yet being undetected. Additionally, quite challenging attacks continue to be carried out against organizations, long after they were first detected (for instance, SolarWinds).
Moreover, fresh common trends and patterns are constantly being identified and duplicated, unless a means is discovered in order to render them ineffective. Listed below are some of the major trends in APTs, identified by a Russian internet security firm ‘Kaspersky’:
• The private sector supporting an influx of new APT players: It is anticipated that more and more APTs will use commercially available products like the Pegasus software from the Israeli company NSO Group, which is marketed to government agencies for its zero-click surveillance capabilities.
• Mobile devices exposed to wide, sophisticated attacks: Although Apple's new Lockdown Mode for the iOS 16 iPhone software update is meant to address the exploitation of spyware by NSO Group, its phones still stand with Android and other mobile devices as the top targets of APTs.
• More supply-chain attacks: Supply-chain attacks should continue to be a particularly effective strategy for reaching high-value government and private targets, as demonstrated by SolarWinds.
• Continued exploitation of work-from-home (WFH): With the emerging WFH arrangements since the year 2020, hacker groups will continue targeting employees’ remote systems, until those systems are potent enough to combat exploitation.
• Increase in APT intrusions in the Middle East, Turkey, and Africa (META) region, (especially in Africa): With the constantly diminishing geopolitical situation, globally, espionage is emerging rapidly in areas where systems and communications are the most vulnerable.
APT Identification and Management Practices:
Since APTs are designed to be covert, facilitated, backed by constant advancement, and illicit traffic in zero-day exploits, it becomes intrinsically challenging to detect them. Attacks, however, frequently follow a pattern, going for predictable targets like admin credentials and privileged data repositories that represent important company assets.
Following are 5 recommendations for avoiding and identifying APT intrusion:
1. Threat modeling and instrumentation: According to Igor Volovich, Vice President of Compliance for Omulos “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls […] Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.”
2. Stay alert: Pay closer attention to the operation of security analyst and security community posting, which keeps a check on the APT groups, since they look for activities pertaining to indications of threat group actions, or that of an activity group and threat actors; as well as activities that indicate a potential intrusion or cyber-campaigns.
3. Baseline: It is crucial to understand your own environment and establish a common baseline in order to identify anomalous behavior in the environment and, consequently, spot the tell-tale signs of the presence of APTs. It is easier to identify odd traffic patterns and unusual behavior by using this baseline.
4. Use your tools: In order to identify APTs, one may as well use existing security tools like endpoint protection, network prevention systems, firewalls, and email protection.
5. Threat Intelligence: Threat intelligence sources should be evaluated against data from security tools and information on potentially unusual traffic. Organizations that use threat feeds can describe the threat and what it can signify for the target organisation. These technologies can help a management team identify potential attackers and determine their possible objectives.