Darkish Pink APT group linked to new KamiKakaBot assaults in Southeast Asia

The not too long ago recognized Darkish Pink superior persistent menace (APT) group is probably going behind a recent set of KamiKakaBot malware assaults on ASEAN governments and army entities, based on Netherlands-based cybersecurity firm ElecticIQ.

The assaults, which came about in February, have been “nearly an identical” to these reported by Russia-based cybersecurity agency Group-IB on January 11, ElectricIQ stated. A number of overlapping strategies used within the campaigns helped EclecticIQ analysts attribute the latest assaults as prone to be the work of the Darkish Pink APT group.

Darkish Pink is the identify given by Group-IB to the group believed to be behind the KamiKakaBot assaults which have struck the APAC area.

APT assaults are sometimes state-sponsored espionage campaigns and are targeted on conducting long-term, focused assaults in opposition to particular organizations or international locations, for little or no monetary acquire.

ElectricIQ attributed the most recent wave of APT assaults on ASEAN international locations to Darkish Pink because of the utilization of KamiKakaBot malware used solely by Darkish Pink, and since the assaults used the identical command and management construction and related payload supply and execution strategies utilized in earlier assaults.

KamiKakaBot is a type of distant entry trojan (RAT) that largely targets Home windows-based techniques. It’s delivered by way of phishing emails that comprise a malicious ISO (an archived copy of CD/DVD or different optical disks) file as an attachment, according to EclecticIQ.

Phishing delivers payload although DLL sideloading

The ISO file incorporates a reputable WinWord.exe signed by Microsoft, which is then used to stage a dynamic hyperlink library (DLL) sideloading assault. When customers click on on the WinWord.exe file, the KamiKakaBot loader (MSVCR100.dll) positioned in the identical folder is robotically loaded and executed within the reminiscence of the WinWord.exe program.

Moreover, the malicious ISO file features a disguised Phrase doc with a bit that’s encrypted utilizing exclusive-or (XOR) encryption The KamiKakaBot loader decrypts this part and extracts an XML payload from the disguised file. The decrypted payload is then written into the disk at location C:Windowstemp and executed utilizing MsBuild.exe, a reputable binary generally utilized by attackers for “living-off-the-land” assaults.

Earlier than executing the XML payload, the KamiKakaBot loader writes a registry key into the Winlogon (Home windows element) shell path to abuse its helper function for persistent entry. The Winlogon helper is used to handle further helper applications and functionalities that help Winlogon

Malware persistence highlights higher obfuscation routines

The KamiKakaBot malware is able to stealing delicate info from internet browsers equivalent to Chrome, MS Edge, and Firefox. The stolen information is then despatched to the attackers’ Telegram bot channel in a compressed zip file format. When the gadget is initially contaminated, the attacker can improve the malware or execute distant code on the gadget, offering them with entry to hold out further post-exploitation actions.

The newest KamiKakaBot loader is designed to put in the KamiKakaBot malware with out detection. It achieves this by strategies like encrypting the payload and utilizing living-off-the-land binaries (LOLBINs).

Residing off the land binaries confer with reputable system binaries which are utilized by attackers to hold out malicious actions on a compromised system, making it tougher to detect their actions. Darkish Pink used a reputable MsBuild.exe to run the KamiKakaBot malware on victims’ gadgets.

The primary distinction within the Darkish Pink campaigns to this point is is that within the newest assaults, the malware’s obfuscation approach has improved to raised evade antimalware measures, ElectricIQ stated.

Moreover, the brand new model of KamiKakaBot makes use of an open-source .NET obfuscation engine to cover itself from antimalware merchandise.