A dangerous new cybercrime group has been spotted targeting government agencies and military organizations in the Asia-Pacific region.
According to multiple cybersecurity firms who spotted the threat actor, it seems to be deploying unorthodox tactics to obtain sensitive information from target endpoints.
Two cybersecurity firms were initially tracking the attackers - Group-IB, and Anheng Hunting Labs. While the former dubbed the group Dark Pink, the latter calls it Saaiwc Group. Regardless of the name, the hackers are using spear-phishing attacks for initial deployment, and infected USB drives for spreading.
Abusing known flaws
The spear-phishing emails are usually fake job applications designed to lure victims into downloading weaponized ISO files. These files would abuse a known high-severity vulnerability tracked as CVE-2017-0199 (Office/WordPad remote code execution vulnerability) to deploy either Ctealer or Cucky (custom-built infostealers). These would later deploy a registry implant named TelePowerBot.
A separate method was observed deploying KamiKakaBot, designed to read and execute commands.
Both Cucky and Ctealer are designed to steal passwords, browsing history, saved credentials, and cookies from most of today's popular browsers (and then some). Furthemore, the group is able to access messenger applications, steal documents, and grab audio via microphones connected to infected devices.
“During infection, the threat actors execute several standard commands (e.g. net share, Get-SmbShare) to determine what network resources are connected to the infected device. If network disk usage is found, they will begin exploring this disk to find files that may be of interest to them and potentially exfiltrate them,” Group-IB explained.
In the second half of 2022, the group launched at least seven successful attacks, the researchers claim.
All seven organizations (for which the attacks had been confirmed) have been notified of the attack and were given tips on how to proceed. The researchers state that it’s highly likely that the group compromised an even bigger number of organizations, but confirmations are yet to come.
- Here's our list of the best internet security suites right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.