A Chinese state-sponsored hacking gang dubbed Dark Pink is on a crime spree targeting government, military and education organisations. Security researchers have been tracking the group’s activity, and say it has claimed five new victims in 2023 and shows “no signs of slowing down”.
The most recent targets of the Advanced Persistent Threat (APT) group include an educational institution in Belgium and a government agency in Indonesia.
Chinese hackers are in the (Dark) Pink
A report released today by security company Group-IB has revealed a Dark Pink has attacked five organisations so far this year, with a total of 13 since it was first uncovered in mid-2021.
Recent attacks show that the gang has revamped its attack chain, the report says, persistently updating its tools to slip past defence mechanisms.
Last year, the gang appears to have attacked seven groups in Asia and one in Europe. This year, Dark Pink widened its attack surface to include Brunei, Thailand and Belgium, including one government agency in Indonesia last month.
“The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails,” said Group-IB malware analyst Andrey Polovinkin.” Once the attackers gain access to a target’s network, they use advanced persistence mechanisms to stay undetected and maintain control over the compromised system.
“As we continued to track the group’s activity, we identified new tools, exfiltration mechanisms and victims in new industries, in countries that Dark Pink has never targeted before.”
How Dark Pink targets its victims
The gang’s primary attack vector continues to be spear-phishing emails, where criminals send targeted attack attempts to an individual with key credentials to an attack. The group has updated its tactics, techniques and procedures this year, explains the Group-IB report.
It has implemented a new version of the KamiKakaBit malware, splitting its functions into two parts, one stealing data and the other controlling devices.
The gang has a GitHub repository where it hosts modules to install onto its victims’ machines, directed by malicious code. According to the report, data is also being transmitted by the textbin.net service.
Stolen data is then exfiltrated using a service called Webhook. “Webhook.site is a powerful and versatile service that allows users to easily inspect, test, and debug HTTP requests and webhooks,” explained Polovinkin. “With webhook.site, it is possible to set up temporary endpoints in order to capture and view incoming HTTP requests.”
The gang’s recent activities show that it has no intentions of slowing down, Polovinkin added. “APT groups are renowned for their responsiveness and ability to adapt their custom tools to continually avoid detection, and Dark Pink is no exception,” he said. “The profile of the affected targets underscores the significant danger that Dark Pink poses for both public – and private-sector actors. Group-IB will continue to analyse all Dark Pink activity and ensure that confirmed and potential victims are informed.”