A dangerous new cybercrime group has been spotted targeting government agencies and military organizations in the Asia-Pacific region.
According to multiple cybersecurity firms who spotted the threat actor, it appears to be deploying unorthodox tactics to obtain sensitive information from target endpoints. (opens in new tab).
Two cybersecurity firms were initially tracking the attackers – Group-IB, and Anheng Hunting Labs. While the former dubbed the group Dark Pink, the latter calls it Saaiwc Group. Regardless of the name, the hackers are using spear-phishing attacks for initial deployment, and infected USB drives for spreading.
Abusing known flaws
The spear-phishing emails are usually fake job applications designed to lure victims into downloading weaponized ISO files. These files would abuse a known high-severity vulnerability tracked as CVE-2017-0199 (Office/WordPad remote code execution vulnerability) to deploy either Ctealer or Cucky (custom-built infostealers). These would later install a registry implant named TelePowerBot.
A separate method was observed deploying KamiKakaBot, designed to read and execute commands.
Both Cucky and Ctealer are designed to steal passwords, browsing history, saved credentials, and cookies from most of today’s popular browsers (and then some). Furthemore, the group is able to access messenger applications, steal documents, and grab audio via microphones connected to infected devices.
“During infection, the threat actors execute several standard commands (eg net share, Get-SmbShare) to determine what network resources are connected to the infected device. If network disk usage is found, they will begin exploring this disk to find files that may be of interest to them and potentially exfiltrate them,” Group-IB explained.
In the second half of 2022, the group launched at least seven successful attacks, the researchers claim.
All seven organizations (for which the attacks had been confirmed) have been notified of the attack and were given tips on how to proceed. The researchers state that it’s highly likely that the group compromised an even larger number of organizations, but confirmations are yet to come.
Via: BleepingComputer (opens in new tab)