New Dark Pink Group Attacks South Asian Government Institutions With KamiKakaBot Malware

Security researchers from an information security company EclecticIQ declared that government hackers are attacking military and government organizations in South Asia with malware called KamiKakaBot, designed to steal sensitive information.

Experts attributed the attacks APT-Dark Pink group. The results of the EclecticIQ study suggest that the Dark Pink group may be connected to China, but the evidence is insufficient. Most of the group’s attacks were directed at the Asia-Pacific region, among the confirmed victims are two military departments in the Philippines and Malaysia, government agencies in Cambodia, Indonesia, Bosnia and Herzegovina, and a religious organization in Vietnam.

During their latest campaign in February, the hackers sent out phishing emails to their victims posing as European officials. In one of the letters, the attackers posed as a German official and called on the Indonesian government to expand cooperation between their countries in response to increased geopolitical tensions.

The February campaign of Dark Pink was almost identical to the previous attacks, which Group-IB reported in January. In both attacks, the group used ISO images that store copies of files to deliver malware to a computer. The hackers then launched the malware using a DLL sideload method (DLL Sideloading), in which legitimate software executes malicious code.

The main difference between the two campaigns, according to EclecticIQ, is that the hackers have improved their methods of avoiding detection by using legitimate tools to bypass the defenses.

KamiKakaBot infection chain

KamiKakaBot malware

KamiKakaBot is designed to steal sensitive information from the popular Chrome, Edge and Firefox web browsers. Malware steals passwords, browsing history and cookies from them. The malware also gives hackers control over the device and allows remote code execution on the infected computer.

KamiKakaBot sends the stolen browser data to the attackers’ Telegram channel in a ZIP archive, with the name of the ZIP files matching the name of the infected devices, which allows cybercriminals to classify their victims.

EclecticIQ experts believe that Dark Pink will continue to improve their TTPsto avoid detection by security experts, given their “creative” methods of gaining and maintaining access to their victims’ devices.