A dangerous new cybercriminal group targeting government agencies and military organizations in the Asia-Pacific region has been detected.
According to many cybersecurity firms that have detected the cybercriminal, it seems that he uses unconventional tactics to obtain sensitive information from targeted endpoints (opens in a new tab).
Two cybersecurity firms, Group-IB and Anheng Hunting Labs, initially tracked the attackers. While the former named the group Dark Pink, the latter calls it Saaiwc Group. Whatever the name, hackers use spear phishing attacks for pre-deployment and infected USB drives for propagation.
Abuse of known flaws
Spear phishing emails are usually fake job applications designed to lure victims into downloading armed ISO files. These files would exploit a known high-severity vulnerability tracked as CVE-2017-0199 (Office/WordPad Remote Code Execution Vulnerability) to deploy Ctealer or Cucky (custom information theft programs). Later, they would implement a registry implant called TelePowerBot.
A separate method of deploying KamiKakaBot, designed to read and execute commands, has been observed.
Both Cucky and Ctealer steal passwords, browsing history, saved credentials, and cookies from most (and some) popular browsers today. In addition, the group can access messengers, steal documents, and capture audio via microphones attached to infected devices.
“During infection, cybercriminals execute a few standard commands (e.g. net share, Get-SmbShare) to determine what network resources are connected to the infected device. If network drive usage is detected, they will start exploring that drive to find files of interest and potentially exfiltrate them,” Group-IB explained.
Researchers say the group carried out at least seven successful attacks in the second half of 2022.
All seven organizations (for which attacks were confirmed) were notified of the attack and received guidance on how to proceed. Researchers say it’s highly likely the group has compromised even more organizations, but confirmations are yet to come.
Through: Beeping Computer (opens in a new tab)