The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Here it comes Dark Pink. Group-IB cybersecurity experts: The APT is targeting mostly the APAC region for cyber espionage purpose
Dark Pink is a new APT targeting the APAC region for cyber espionage purpose. Group-IB cybersecurity experts discovered it. The name the group was coined by forming a hybrid of some of the email addresses used by the threat actors during data exfiltration. The APT began operations as early as mid-2021, although its activity surged in mid-to-late 2022. The bulk of the attacks were carried out against countries in the APAC region, although the threat actors spread their wings and targeted one European governmental ministry. The confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam. Furthermore, there has been an unsuccessful attack on a European state development agency based in Vietnam.
The threat actor exploits new TTPs, custom toolkit-malware and two core techniques
According to the researchers, Dark Pink leverages a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups: a custom toolkit featuring TelePowerBot, KamiKakaBot, and Cucky and Ctealer information stealers. The goal of the threat actor is to steal confidential documentation held on the networks of government and military organizations. Of particular note is the APT ability to infect even the USB devices attached to compromised computers, and also to gain access to messengers on infected machines. Furthermore, Dark Pink threat actors utilize two core techniques: DLL Side-Loading and executing malicious content triggered by a file type association (Event Triggered Execution: Change Default File Association). The latter of these tactics is one rarely seen utilized in the wild by threat actors.