>
A dangerous new cybercrime group has been identified targeting government agencies and military organizations in the Asia-Pacific region.
According to multiple cybersecurity firms that have spotted the threat actor, it appears to be using unorthodox tactics to obtain sensitive information from target endpoints (opens in new tab).
Two cybersecurity companies initially followed the attackers: Group-IB and Anheng Hunting Labs. While the former called the group Dark Pink, the latter calls it Saaiwc Group. Regardless of the name, the hackers use spear-phishing attacks for initial deployment and infected USB drives for propagation.
Abuse of Known Flaws
The spear-phishing emails are usually bogus job applications designed to trick victims into downloading weaponized ISO files. These files would exploit a known high-severity vulnerability tracked as CVE-2017-0199 (Office/WordPad Remote Code Execution Vulnerability) to deploy Ctealer or Cucky (custom infostealers). These would later deploy a registry implant called TelePowerBot.
A distinct method was observed deploying KamiKakaBot, designed to read and execute commands.
Both Cucky and Ctealer are designed to steal passwords, browsing history, saved credentials, and cookies from most of today’s popular browsers (and many more). In addition, the group can access messenger applications, steal documents and pick up audio through microphones connected to infected devices.
“During infection, the threat actors execute several standard commands (e.g. net share, Get-SmbShare) to determine which network resources are connected to the infected device. If network disk usage is found, they will start exploring this disk to find files that may be of interest to them and possibly exfiltrate them,” Group-IB explained.
In the second half of 2022, the group launched at least seven successful attacks, the researchers say.
All seven organizations (whose attacks were confirmed) have been notified of the attack and have been given tips on how to proceed. The researchers state that it is highly likely that the group has compromised an even greater number of organizations, but confirmations are yet to come.
Through: Beeping computer (opens in new tab)