Recently, the Dark Pink APT group has been linked to a new string of attacks in Southeast Asia using a malware called KamiKakaBot. Dark Pink, also known as Saaiwc, was first profiled by Group-IB earlier this year. The group is known for using custom tools, like TelePowerBot and KamiKakaBot, to run arbitrary commands and exfiltrate sensitive information. It's believed that the group is of Asia-Pacific origin and has been active since at least mid-2021, with an increased tempo observed in 2022.
The latest attacks, which took place in February 2023, were almost identical to previous attacks, according to a new report published last week by Dutch cybersecurity company EclecticIQ. The main difference in the February campaign is that the malware's obfuscation routine has improved to better evade anti-malware measures.
The attacks play out in the form of social engineering lures that contain ISO image file attachments in email messages to deliver the malware. The ISO image includes an executable (Winword.exe), a loader (MSVCR100.dll), and a decoy Microsoft Word document, the latter of which comes embedded with the KamiKakaBot payload. The loader, for its part, is designed to load the KamiKakaBot malware by leveraging the DLL side-loading method to evade security protections and load it into the memory of the Winword.exe binary.