Newly emergent advanced persistent threat operation Dark Pink, also known as Saaiwc,
has launched new attacks with the improved KamiKakaBot malware against government and military organizations across Southeast Asia since last month, reports The Hacker News
Such attacks, while "almost identical" to the intrusions initially reported by Group-IB in January, involved the use of an updated KamiKakaBot malware with better obfuscation capabilities, according to an EcleticIQ report.
Dark Pink has been facilitating infections through the delivery of phishing emails with ISO image attachments containing a decoy Microsoft Word document with the KamiKakaBot malware, a loader, and an executable.
After the malware is loaded through DLL side-loading, KamiKakaBot then proceeds with browser data theft and remote code execution while being concealed from anti-virus system detection. KamiKakaBot also exploits the Winlogon Helper library to achieve persistence, while exfiltrated data are delivered to a Telegram bot.
"The use of legitimate web services as a command-and-control (C2) server, such as Telegram, remains the number one choice for different threat actors, ranging from regular cyber criminals to advanced persistent threat actors," said EcleticIQ.