Conducting an investigation, Group-Ib emphasized that Dark Pink can be a completely new APT group. The gang of hackers got its name because of the names of some electronic boxes to which the stolen data were sent. However, Chinese researchers gave her a different name – Saaiwc Group.
Group-Ib analysts revealed seven cyber attacks, behind which Dark Pink stands, and after the discovery of the GitHub account the group suggested that the attackers reached the cybercrime arena in mid-2021.
Most of the attacks were aimed at the Asia -Pacific region, among the confirmed victims – two military departments in the Philippines and Malaysia, government institutions in Cambodia, Indonesia, Bosnia and Herzegovina, as well as a religious organization in Vietnam.
During the cyber attack, Dark Pink uses a number of new tactics and a set of powerful custom tools: Telepowerbot, Kamikakabot, Cucky and Ctealer. These modules are used to steal important information, which is stored in the networks of government and military organizations.
The grouping received the initial access to the networks using phishing letters with malicious ISO-image inside. In one of the discovered letters, hackers impersoned the applicant, claiming the position of interns on public relations.
the main methods of infection in the group only two:
Side load DLL;
making changes to the register of values that defines the program associated with the opening of the file. Thus, when the user tries to open the desired document, this leads to the launch of a malicious program sewn in a pre -created copy of this document.
According to experts, Dark Pink not only steals information, but also infects USB devices connected to hackneyed computers, gets access to instant messengers, and also captures the sound from microphones of hacked devices.