The recently identified Dark Pink advanced persistent threat (APT) group is likely behind a fresh set of KamiKakaBot malware attacks on ASEAN governments and military entities, according to Netherlands-based cybersecurity company ElecticIQ.
The attacks, which took place in February, were "almost identical" to those reported by Singapore-based cybersecurity firm Group-IB on January 11, 2023, ElectricIQ said.
Multiple overlapping techniques used in the campaigns helped EclecticIQ analysts to attribute the recent attacks as likely to be the work of the Dark Pink APT group.
Dark Pink is the name given by Group-IB to the group believed to be behind the APT attacks that have struck the APAC region.
APT attacks are often state-sponsored espionage campaigns and are focused on conducting long-term, targeted attacks against specific organizations or countries, for little or no financial gain.
ElectricIQ attributed the latest wave of APT attacks in ASEAN to Dark Pink due to the usage of KamiKakaBot malware used exclusively by Dark Pink, and because the attacks used the same command and control structure and similar payload delivery and execution techniques used in previous attacks.
KamiKakaBot is a form of remote access trojan (RAT) that mostly targets Windows-based system. It is delivered via phishing emails that contain a malicious ISO (an archived copy of CD/DVD or other optical disks) file as an attachment, according to EclecticIQ.
Phishing delivers payload though DLL sideloading
This file contains a legitimate WinWord.exe signed by Microsoft, which is then used to stage a dynamic link library (DLL) sideloading attack. When users click on the WinWord.exe file, the KamiKakaBot loader (MSVCR100.dll) located in the same folder is automatically loaded and executed in the memory of the WinWord.exe program.
Additionally, the malicious ISO file includes a disguised Word document with a section that is encrypted using exclusive-or (XOR) encryption The KamiKakaBot loader decrypts this section and extracts an XML payload from the disguised file. The decrypted payload is then written into the disk at location C:\Windows\temp and executed using MsBuild.exe, a legitimate binary commonly used by attackers for "living-off-the-land" attacks.
Before executing the XML payload, the KamiKakaBot loader writes a registry key into the Winlogon (Windows component) shell path to abuse its helper feature for persistent access. The Winlogon helper is used to manage additional helper programs and functionalities that support Winlogon
Malware persistence highlights better obfuscation routines
The KamiKakaBot malware is capable of stealing sensitive information from web browsers such as Chrome, MS Edge, and Firefox. The stolen data is then sent to the attackers' Telegram bot channel in a compressed zip file format. When the device is initially infected, the attacker can upgrade the malware or execute remote code on the device, providing them with access to carry out additional post-exploitation activities.
The latest KamiKakaBot loader is designed to install the KamiKakaBot malware without detection. It achieves this through techniques like encrypting the payload and using living-off-the-land binaries (LOLBINs).
Living off the land binaries refer to legitimate system binaries that are used by attackers to carry out malicious activities on a compromised system, making it more difficult to detect their activities. Dark Pink used a legitimate MsBuild.exe to run the KamiKakaBot malware on victims' devices.
The main difference in the Dark Pink campaigns so far is is that in the latest attacks, the malware's obfuscation technique has improved to better evade antimalware measures, ElectricIQ said.
Additionally, the new version of KamiKakaBot uses an open-source .NET obfuscation engine to hide itself from antimalware products.