{ "Event": { "analysis": "1", "date": "2023-01-11", "extends_uuid": "", "info": "[Threat Intel] Dark Pink - New APT hitting Asia-Pacific, Europe that goes deeper and darker", "protected": false, "publish_timestamp": "1780039415", "published": true, "threat_level_id": "1", "timestamp": "1772901939", "uuid": "87a3c7a8-d755-47c7-9084-a7d58341be99", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#a9150c", "local": false, "name": "misp-galaxy:producer=\"Group-IB\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#4985d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#ad5a96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#b361b2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Trusted Developer Utilities Proxy Execution - T1127\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#e0f4bc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Event Triggered Execution - T1546\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#1b8479", "local": false, "name": "misp-galaxy:target-information=\"Vietnam\"", "relationship_type": "" }, { "colour": "#7c8061", "local": false, "name": "misp-galaxy:target-information=\"Bosnia and Herzegovina\"", "relationship_type": "" }, { "colour": "#f9cdc4", "local": false, "name": "misp-galaxy:target-information=\"Indonesia\"", "relationship_type": "" }, { "colour": "#d53577", "local": false, "name": "misp-galaxy:target-information=\"Cambodia\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#fa487c", "local": false, "name": "misp-galaxy:target-information=\"Philippines\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"DarkPink\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Military\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Non-profit organisation\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-enterprise-attack-tool=\"PowerSploit - S0194\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-tool=\"PowerSploit - S0194\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"b0c71d51-34fd-47b5-9eb4-dd406ffc607f\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3b16bb5a-eb4f-4603-a909-bebc5df4a46d\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736666395", "to_ids": false, "type": "link", "uuid": "eab57d51-8897-4d37-ae11-70ff87c1f79f", "value": "https://blog.group-ib.com/dark-pink-apt" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736666395", "to_ids": false, "type": "text", "uuid": "1caca65b-3f39-4ab1-9bc3-7de8a739b661", "value": "A new group of advanced persistent threat actors (APT) is targeting government and military institutions across Asia and Europe in the next five years, according to cybersecurity researchers Group-IB, who have uncovered seven attacks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736666395", "to_ids": false, "type": "text", "uuid": "483b852f-77cb-4812-ad45-a2bd4132e025", "value": "Name: Dark Pink - New APT hitting Asia-Pacific, Europe that goes deeper and darker\nAuthor: AlienVault\nAdversary: Dark Pink\nTags: [\"dark pink\", \"cucky\", \"telepowerbot\", \"browser stealer\", \"KamiKakaBot\", \"Ctealer\", \"telegram\"]\nTgtd countries: [\"Viet Nam\", \"Bosnia and Herzegovina\", \"Indonesia\", \"Cambodia\", \"Malaysia\", \"Philippines\"]\nMlwr families: [\"Cucky\", \"Dark Pink\"]\nAttack_ids: [\"T1547\", \"T1566\", \"T1123\", \"T1574\", \"T1113\", \"T1555\", \"T1082\", \"T1059\", \"T1127\", \"T1027\", \"T1176\", \"T1140\", \"T1546\", \"T1102\"]\nIndustries: [\"Government\", \"Military\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1736666395", "to_ids": false, "type": "threat-actor", "uuid": "f319641e-3fb1-43be-8592-03a251ad5afe", "value": "Dark Pink", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "emails used during data exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1740262528", "to_ids": true, "type": "email-src", "uuid": "95083397-c742-4f70-8f9e-2a25b6e0568a", "value": "blackpink.301@outlook.com" }, { "category": "Payload delivery", "comment": "emails used during data exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1740262529", "to_ids": true, "type": "email-src", "uuid": "faf74a23-e546-4294-8186-09a236068367", "value": "alibaba.113@outlook.com" }, { "category": "Payload delivery", "comment": "emails used during data exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1740262531", "to_ids": true, "type": "email-src", "uuid": "b99b8d78-13f7-455b-9678-266b9257fd0a", "value": "alibaba.113@outlook.com.vn" }, { "category": "Payload delivery", "comment": "Ctealer Loader No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267837", "to_ids": true, "type": "md5", "uuid": "1f58a400-409c-4f31-926e-c5c3dd0af740", "value": "728afa40b20df6d2540648ef845eb754", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Ctealer Loader No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267839", "to_ids": true, "type": "sha1", "uuid": "558d06a7-a63f-4144-bed2-be5ce33bd771", "value": "d8df672ecd9018f3f2d23e5c966535c30a54b71d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Ctealer Loader No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267840", "to_ids": true, "type": "sha256", "uuid": "5cdbcd40-7648-49aa-86ac-a13d46eb019f", "value": "c60f778641942b7b0c00f3214211b137b683e8296abb1905d2557bfb245bf775", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Packed ctealer No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267841", "to_ids": true, "type": "md5", "uuid": "8d0b6e66-5972-4a2a-b249-310c907e0c56", "value": "7eaf1b65004421ac07c6bb1a997487b2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Packed ctealer No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267842", "to_ids": true, "type": "sha1", "uuid": "beb8e26d-d36d-46c5-b2ba-58fd754a30bd", "value": "18ca159183c98f52df45d3e9db0087e17596a866", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Packed ctealer No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267843", "to_ids": true, "type": "sha256", "uuid": "ae563fa5-f1de-4419-bba5-d058fe9bf0f8", "value": "e3181ee97d3ffd31c22c2c303c6e75d0196912083d0c21536e5833ee7d108736", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267844", "to_ids": true, "type": "md5", "uuid": "9e3f4131-eea6-4e58-abce-e649cf8399b0", "value": "732091ad428419247bce87603ea79f00", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267845", "to_ids": true, "type": "sha1", "uuid": "2c403f50-4c4b-404b-b85e-a004fb1d637f", "value": "142f909c26bd57969ef93d7942587cdf15910e34", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267847", "to_ids": true, "type": "sha256", "uuid": "63399316-0b0d-4731-8d21-d7c6797701b6", "value": "e45df7418ca47a9a4c4803697f4b28c618469c6e5a5678213ab81df9fcc9fd51", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740262215", "to_ids": false, "type": "mutex", "uuid": "dc581046-9f20-411a-9568-161a8e2ac250", "value": "gwgXSznM-Jz92k33A-uRcCCksA-9XAU93r5" }, { "category": "Payload delivery", "comment": "emails used during data exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1740262516", "to_ids": true, "type": "email-src", "uuid": "2d3cebde-c597-42e7-b328-bbd042ded431", "value": "blackred.113@outlook.com" }, { "category": "Payload delivery", "comment": "emails used during data exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1740262516", "to_ids": true, "type": "email-src", "uuid": "ea339d14-74da-4df5-8af5-03b682dab5cb", "value": "lanhuong.jsc@outlook.com" }, { "category": "Payload delivery", "comment": "emails used during data exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1740262516", "to_ids": true, "type": "email-src", "uuid": "1521eabd-46a7-447f-8e9b-8dc24ab03f67", "value": "nphuongmai.97@outlook.com" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740262554", "to_ids": false, "type": "malware-type", "uuid": "8741aea0-2c8b-407d-9143-c9b1a52c8b5b", "value": "Cucky" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740262569", "to_ids": false, "type": "malware-type", "uuid": "c596f981-73c7-4fad-8171-06c3d6ff0d72", "value": "Ctealer" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740262618", "to_ids": false, "type": "malware-type", "uuid": "ccf1fa74-6efc-4d36-aaad-8ee2a6be9aa8", "value": "KamiKakaBot" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740262639", "to_ids": false, "type": "malware-type", "uuid": "af0269c5-8d21-4e0f-b0da-4983b3f95a02", "value": "KamiKakaDropper" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740780895", "to_ids": false, "type": "link", "uuid": "6b6331aa-33f6-4353-bff5-207d703ee9ba", "value": "https://www.bharian.com.my/berita/nasional/2023/01/1050642/data-tentera-malaysia-disyaki-dicuri-penggodam-sama-tahun-lalu" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740267947", "uuid": "25b43cfc-29e5-4e71-9ffd-ec7b56169fdb", "Attribute": [ { "category": "Payload delivery", "comment": "Cucky", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740267947", "to_ids": true, "type": "md5", "uuid": "40d1f230-0abd-4ea1-adf3-f1df3a3d09ec", "value": "926027f0308481610c85f4e3e433573b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cucky", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740267836", "to_ids": true, "type": "sha1", "uuid": "c7315752-9e27-4385-9eed-a965620d219f", "value": "24f65e0ee158fc63d98352f9828d014ab239ae16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cucky", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740267836", "to_ids": true, "type": "sha256", "uuid": "cb04bdb3-618e-48c4-81a9-606acf826ed6", "value": "9976625b5a3035dc68e878ad5ac3682ccb74ef2007c501c8023291548e11301a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740266157", "to_ids": true, "type": "ssdeep", "uuid": "6462065b-ae8e-4556-a15a-a712f49df82e", "value": "1536:t6VczO7C9hk4/IZMCfhxhEmFGnA1hoKFdOV:tdi7C9hkJZLhEmFGnA1hoKFs" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740266157", "to_ids": false, "type": "size-in-bytes", "uuid": "fb595a34-b725-401a-9b2c-7eb8753e98c5", "value": "81920" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740266157", "to_ids": true, "type": "vhash", "uuid": "c6143471-35fe-49df-801e-213a7b651ad7", "value": "38403655151e072b11020" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740266157", "to_ids": true, "type": "filename", "uuid": "9f8f24d6-11d1-4a96-b054-501ba39a354f", "value": "Cucky.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 11/03/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740266157", "to_ids": false, "type": "text", "uuid": "319c07ac-16e7-4530-9c9c-c542db277210", "value": "Cucky\r\nType Description: Win32 DLL\n\nMicrosoft: None\nVT Total Detection:25/72" } ] } ] } }