The latest APT cyberattacks on ASEAN countries use similar techniques as a previous Dark Pink KamiKakaBot campaign, including phishing. Credit: Weerapatkiatdumrong / Getty Images The recently identified Dark Pink advanced persistent threat (APT) group is likely behind a fresh set of KamiKakaBot malware attacks on ASEAN governments and military entities, according to Netherlands-based cybersecurity company EclecticIQ.The attacks, which took place in February, were “almost identical” to those reported by Singapore-based global cybersecurity firm Group-IB on January 11, EclecticIQ said. Multiple overlapping techniques used in the campaigns helped EclecticIQ analysts attribute the recent attacks as likely to be the work of the Dark Pink APT group.Dark Pink is the name given by Group-IB to the group believed to be behind the KamiKakaBot attacks that have struck the APAC region. APT attacks are often state-sponsored espionage campaigns and are focused on conducting long-term, targeted attacks against specific organizations or countries, for little or no financial gain. EclecticIQ attributed the latest wave of APT attacks on ASEAN countries to Dark Pink due to the usage of KamiKakaBot malware used exclusively by Dark Pink, and because the attacks used the same command and control structure and similar payload delivery and execution techniques used in previous attacks.KamiKakaBot is a form of remote access trojan (RAT) that mostly targets Windows-based systems. It is delivered via phishing emails that contain a malicious ISO (an archived copy of CD/DVD or other optical disks) file as an attachment, according to EclecticIQ. Phishing delivers payload though DLL sideloadingThe ISO file contains a legitimate WinWord.exe signed by Microsoft, which is then used to stage a dynamic link library (DLL) sideloading attack. When users click on the WinWord.exe file, the KamiKakaBot loader (MSVCR100.dll) located in the same folder is automatically loaded and executed in the memory of the WinWord.exe program.Additionally, the malicious ISO file includes a disguised Word document with a section that is encrypted using exclusive-or (XOR) encryption The KamiKakaBot loader decrypts this section and extracts an XML payload from the disguised file. The decrypted payload is then written into the disk at location C:Windowstemp and executed using MsBuild.exe, a legitimate binary commonly used by attackers for “living-off-the-land” attacks.Before executing the XML payload, the KamiKakaBot loader writes a registry key into the Winlogon (Windows component) shell path to abuse its helper feature for persistent access. The Winlogon helper is used to manage additional helper programs and functionalities that support Winlogon Malware persistence highlights better obfuscation routines The KamiKakaBot malware is capable of stealing sensitive information from web browsers such as Chrome, MS Edge, and Firefox. The stolen data is then sent to the attackers’ Telegram bot channel in a compressed zip file format. When the device is initially infected, the attacker can upgrade the malware or execute remote code on the device, providing them with access to carry out additional post-exploitation activities.The latest KamiKakaBot loader is designed to install the KamiKakaBot malware without detection. It achieves this through techniques like encrypting the payload and using living-off-the-land binaries (LOLBINs).Living off the land binaries refer to legitimate system binaries that are used by attackers to carry out malicious activities on a compromised system, making it more difficult to detect their activities. Dark Pink used a legitimate MsBuild.exe to run the KamiKakaBot malware on victims’ devices. The main difference in the Dark Pink campaigns so far is is that in the latest attacks, the malware’s obfuscation technique has improved to better evade antimalware measures, EclecticIQ said.Additionally, the new version of KamiKakaBot uses an open-source .NET obfuscation engine to hide itself from antimalware products. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe