DarkPink’s Attacks on Indonesia’s Foreign Ministry and the Philippines’ Military

The original report is in Chinese, and this version is an AI-translated edition.

1.Overview

Antiy CERT has recently detected multiple attacks by the APT group DarkPink against the Indonesian diplomatic department and the Philippine military department. The DarkPink (also known as saaiwc) organization first became active in mid-2021, and its main targets are diplomatic, military and other departments and industries in Cambodia, Indonesia, Malaysia, the Philippines, Vietnam, Bosnia and Herzegovina and other countries.

The initial samples of the attack activities discovered this time are all packaged ISO files. According to the attack process, they can be divided into two categories: one is to use DLL side loading to release the malicious XML file payload and achieve persistence by modifying the registry. The malicious DLL will also create a scheduled task to log off the logged-in user regularly. When the Windows user logs in, it will start the malicious payload KamiKakaBot[1] by calling MSBuild.exe (Microsoft Build Engine) to achieve remote control function; the other type uses DLL side loading attack to carry out the initial attack. The malicious DLL decrypts the PE file and loads it in memory for execution. The PE file in the memory will add the startup code to the registry to achieve persistence. The startup code is used to decrypt and start the malicious payload TelePowerBot[1] to achieve remote control function.

2.Sample Analysis

2.1 Attacks Using KamiKakaBot

2.1.1 Bait Information

The attackers used a decoy document named “~MSTIP ROTCU Roster of Cadets and List of Training  Staff_emb.doc” to disguise it as the cadet roster and training staff list of the Reserve Officers’ Training Corps of the Makati Institute of Science and Technology in the Philippines.

Figure 2‑1 Decoy documents disguised as the roster of cadets and list of training personnel of the Reserve Officers Training Corps of the Makati Institute of Science and Technology in the Philippines

The attackers used a decoy document named “Availability of HPA Parade Ground.pdf” to pretend to be a document from the Philippine National Capital Region Community Defense Group requesting the use of the HPA Parade Ground.

Figure 2 ‑2 Document disguised as a request from the Philippine Capital Region Community Defense Group to use the HPA Parade Ground

The attackers used a decoy document named “~Concept Note Strategic Dialog Version 30.1.docx” to disguise as a decoy related to the Indonesia-Germany strategic dialogue content.

Figure 2 ‑3 Decoy documents disguised as content related to the Indonesia-Germany strategic conversation

The attacker used a bait document named “009 -Visit of Norwegian senior diplomats to Jakarta 6-9 February.pdf” to pretend to be the Royal Norwegian Embassy and send bait about diplomats visiting Jakarta. According to the content of the bait document, it is speculated that the target of the attack is the Ministry of Foreign Affairs of the Republic of Indonesia or related persons.

Figure 2 ‑4 A decoy document disguised as the Royal Norwegian Embassy was sent about a diplomat’s visit to Jakarta

The attacker used a bait document named “~Concept note – A Sustainable Forum – Building the Online Resources of the EAMF 16 Dec 2022_emb.doc” to disguise the sender as MA. THERESA P. LAZARO (Undersecretary of the Department of Foreign Affairs of the Philippines for Bilateral Relations and ASEAN Affairs). The bait content was related to the “Revised Concept Note on Australia’s Proposal to Expand the ASEAN Maritime Forum”. Based on its content and recipients, it is speculated that the target of the attack is the leaders or related persons of the ASEAN Executive Committee.

Figure 2 ‑5 Decoy document for Australia’s revised concept note on proposal to expand the ASEAN Maritime Forum

Figure 2‑6 Bait document on building research capacity of EAMF (Expanded ASEAN Maritime Forum)

2.1.2 Attack Process

The DarkPink organization structures ISO images containing malicious code and decoy files, which are delivered to target machines through spear phishing and other methods. Users are tricked into opening exe files disguised as documents in the images, which load malicious modules in the form of DLL side-loading. After the malicious module runs, it reads the data at the end of the decoy document, decrypts the XML format file, and establishes a persistence mechanism. Every time the user logs in, it calls PowerShell to open the MSBuild.exe file to execute the malicious XML file, decrypts the data stored in the XML file, and loads it into the memory for execution. The decrypted data is KamiKakaBot[1], which is used to communicate with Telegram and implement functions such as browser data theft and command execution.

Figure 2 ‑7 Attack flow chart

2.1.3 Sample Label

Table 2‑1 Malicious module MSVCR100.dll contained in ISO

Virus nameTrojan/Win64.Dllhijacker
Original file nameMSVCR100.dll
MD5c431ddc7ed614effd8e2ae816107de3f
Processor architectureAMD AMD64
File size41.00 KB (41984 bytes)
File formatWin64 DLL
Timestamp2022-12-21 16:12:05 UTC
Digital signatureNone
Packer typeNone
Compiled languagex64 Microsoft Visual C++ v14.29 – 2019 – DLL
VT first upload time2023-02-01 03:41:10 UTC
VT test results41/69

2.1.4 Detailed Analysis

The organization uses DLL side-loading to load malicious modules to evade detection. The loaded malicious modules are disguised as MSVCR 100.dll (a dynamic link library file of Visual Studio 2010) .

Figure 2 ‑8 DLL side loading

After the malicious module is loaded, it searches for files in the current directory that meet the following conditions:

Figure 2 ‑9 Search for files to be decrypted

The malicious module reads data from the end of the decoy file and performs a hexadecimal XOR operation with 0xCA until it encounters 0x00.

Figure 2 ‑10 Read the file tail data and perform XOR operation

The malicious module writes the processed data to the wct1FDA.tmp file in the %temp% directory. The content of the file is shown in the figure below.

Figure 2 ‑11 Contents of the wct1FDA.tmp file

After the file is generated, the decoy document is opened through the cmd command to pretend to be a normal document opening operation.

Figure 2 ‑12 Open the decoy document through cmd command

The malicious module creates new environment variables MS, TMPT, and PSS. The PowerShell code that is subsequently set in the registry will use the values of the environment variables.

Figure 2 ‑13 Set environment variables

The malicious module creates a scheduled task to infect the machine and force a logout at 13:15 every Wednesday and Friday, forcing the user to log in again and execute PowerShell instructions.

Figure 2 ‑14 Create a scheduled task

The malicious module sets the value of the registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\Shell to launch the malicious code when the Windows user logs on.

Figure 2 ‑15 Login startup

PowerShell calls MSBuild.exe to load the XML file. First, the base64 data is decoded and each byte is xored with decimal 248. After decryption, a modified version of KamiKakaBot[1] is obtained. Then, GetExportedTypes and InvokeMember methods are used to match the PRLiSNFR method in the program for execution.

Figure 2 ‑16 XML file

After KamiKakaBot[1] is executed, it first collects the current device name, user name, and partial string, and then obtains the API KEY and CHAT ID for communicating with Telegram.

Figure 2 ‑17 Obtain the content required for communication

The KamiKakaBot[1] sample contains a string decryption function. The decryption function uses the FNV algorithm to hash the function name, then performs a shift operation and adds the value to the set value to obtain the position of the string in the array, thereby obtaining the decrypted string.

Figure 2 ‑18 String decryption function and compressed array

KamiKakaBot[1] transmits data via Telegram.

Figure 2‑19 KamiKakaBot’s function for returning data

KamiKakaBot[1] determines whether the %LOCALAPPDATA %\desktop.ini.dat file exists. If it does not exist, it creates the file and writes it to the file in the form of “a string of 15 bytes after the 15th byte in main.APIKEY” + “: 0”, and sets the file to be hidden. If it exists, it reads the content before “:” in the file and compares it with the string of 15 bytes after the 15th byte in main.APIKEY. If they are the same, it returns the content after “:”. If they are different, it modifies the file content and stores it in the form of “a string of 15 bytes after the 15th byte in main.APIKEY” + “: 0 ” , and sets it to be hidden.

Figure 2 ‑20 Determine whether it is the first execution

KamiKakaBot[1] uses the return value of the requestMessageID function to determine whether the current machine is infected with the current version of KamiKakaBot for the first time, and sends the information about whether it is the first infection and the data of the Chrome, Edge, and Firefox browsers to Telegram, waiting for the data to be sent back to the victim machine.

Figure 2 ‑21 KamiKakaBot sends online package

KamiKakaBot[1] receives data sent back from Telegram and parses and judges the data to implement corresponding functions. The following table shows the commands and corresponding functions in KamiKakaBot:

Table 2 ‑2 Instructions and corresponding functions

InstructionsFunction
SH0WUPReturn the current machine name and user name
GETBRWSGet Chrome, Edge, FireFox browser data
TOKENNEWUpdate the value of APIKEY and rewrite it to %LOCALAPPDATA%\ desktop.ini.dat
XMLNEWUpdate XML file or execute cmd command

2.2 Attacks Using TelePowerBot

2.2.1 Bait Information

The decoy document is named “20220410_Microsoft Security Update.pdf”. This document is a document impersonating the Microsoft security update theme. From the content of the decoy document, it can be seen that this attack activity is aimed at the military field of the Philippines.

Figure 2 ‑22 Bait document disguised as a Microsoft security update topic

2.2.2 Attack Process

The DarkPink organization constructs an ISO image containing malicious code and decoy files, and delivers it to the target machine through spear phishing and other methods, inducing the user to open the exe file disguised as a document in the image, and loads the malicious module in the form of DLL side loading. After the malicious module runs, it reads the data at the end of the decoy document, decrypts the PE file and loads it into the memory for execution. The memory PE file is responsible for opening the decoy document and adding the startup code to the registry to achieve persistence. The startup code will be executed after each boot, decrypting the TelePowerBot [1] malicious payload to achieve information collection and command execution functions.

Figure 2 ‑23 Attack Flowchart

2.2.3 Sample Label

Table 2‑3 Malicious module MSVCR100.dll contained in ISO

Virus nameTrojan/Win32.Agentb
Original file nameMSVCR100.dll
MD58af6f5e22806766c530dcc8420e60f29
Processor architectureAMD AMD64
File size11.00 KB (11264 bytes)
File formatWin32 DLL
Timestamp2022-07-14 03:16:16 UTC
Digital signatureNone
Packer typeNone
Compiled languageMicrosoft Visual C++ v7.10-9.0 DLL (8B)
VT first upload time2022-09-27 09:20:58 UTC
VT test results41/69

2.2.4 Detailed Analysis

The attacker also uses DLL side loading to evade detection. The loaded malicious module will read data from the end of the bait file and perform decryption operations.

Figure 2 ‑24 Extract the encrypted data hidden at the end of the decoy document

The decrypted data is a PE file, which is loaded into memory and executed.

Figure 2 ‑25 Load PE file in memory

After being loaded into memory, the PE file first creates a mutex, then uses the cmd command to open a decoy document to conceal malicious behavior.

Figure 2 ‑26 Create a mutex and open the decoy document

Modify the registry, set the environment variables required for subsequent script execution, and achieve persistence by setting the UserInitMprLogonScript key value. Add file associations for files with the .abcd suffix, so that they are linked to the startup code every time the system starts. The startup code mainly runs PowerShell code through SyncAppvPublishingServer.vbs, XOR decrypts base64 -encoded data and executes it.

Figure 2 ‑27 Implement a persistence mechanism

This command is executed every time the system is started, and the base64 data is decoded and XOR-decrypted.

Figure 2 ‑28 The decrypted content of base64 data

After the script is deobfuscated, the stored base64 data is decoded and decompressed, and the final executed payload is TelePowerBot[1] . After the script is run, it will first determine the connection status with api.telegram.org, and then collect basic information about the victim and send it back to Telegram. After that, it will communicate with Telegram every one minute , receive commands, and send the command results back to Telegram.

Figure 2 ‑29 Contents of the malicious payload TelePowerBot

3.Association Analysis

Combined with the analysis of samples of previous attack activities of the DarkPink organization, the attack process and attack components used are highly similar, but there are certain changes in the details.

The XML file in this attack has roughly the same content and functionality as the previous version, but after decoding the subsequent payload data of base64, an additional XOR operation is performed.

Figure 3 ‑1 Differences in XML files (the left side is the XML file of the previous attack activity, and the right side is the XML file of this attack activity)

.NET payload has basically the same functionality, but compared to previous versions, it adds a string encryption function to make analysis more difficult.

Figure 3 ‑2 String encryption function in .NET payload

4.Threat Framework Mapping

The ATT&CK framework diagram of the behavioral technical points of the DarkPink organization’s related attack activities is as follows:

This activity involves 16 technical points in 9 stages of the ATT&CK framework. The specific behaviors are described in the following table:

ATT&CK Stages/CategoriesSpecific BehaviorNotes
Initial AccessPhishingPhishing attack to deliver ISO files to the victim’s machine
ExecuteInduce users to executeInduce users to open the exe file in the ISO file that pretends to be a document
PersistenceBoot or login with autostartModify the shell key value of the Winlogon registry to launch the malicious program every time the user logs in
PersistenceBoot or login initialization scriptsAdd startup code to the registry key HKCU\Environment\UserInitMprLogonScript to establish persistence
PersistenceEvent-triggered executionModify the default association of files with the .abcd suffix, and execute the specified command when opening a file with the .abcd suffix
Defense evasionDeobfuscate and decode files or informationThere is an encrypted string in KamiKakaBot, and the decryption is performed by the built-in decryption function
Defense evasionExecute process hijackingDLL Side loading
Defense evasionCounterfeitConstruct a double extension file to impersonate a document
Defense evasionExecute using trusted development toolsConstruct malicious code execution through MSBuild
Credential accessSteal Web Session CookiesGet Chrome, Edge, Firefox browser data
DiscoverDiscover system informationGet information such as operating system type, operating system version, computer product name, etc.
DiscoverDiscover system network configurationGet the connection status with api.telegram.org and get the victim machine IP
CollectCollect local system dataGet the device name and current user name
CollectData Temporary StorageThe collected browser data is temporarily stored in %temp%\wdat{0}.dat
Command and ControlUse legitimate Web servicesTransmit commands via Telegram
Data exfiltrationUse Web service returnsCollected data transmitted via Telegram

5.Summarize

DarkPink organization has been active since mid-2021, continuously carrying out attacks against Southeast Asia, and the tools currently used are almost all self-developed tools. In the recently discovered attack activities, the attackers released subsequent payloads and achieved persistence through DLL side loading, using the trusted development tool MSBuild.exe or directly using encrypted PowerShell scripts to launch malicious payloads. So far, it has been found that the communication between the infected host and the attackers is based on the Telegram API. There are two types of attack payloads in the recently discovered attack activities, the PowerShell payload TelePowerBot[1] and the .NET payload KamiKakaBot[1]. Compared with the previous version, the KamiKaka Bot discovered this time has basically the same functions, but a string encryption function has been added to hide some features. From the above content, it can be seen that while the organization attacks according to its original attack mode, it will also make adjustments to its self- developed tools to adapt to different attack targets and conduct more covert and persistent espionage activities.

Appendix 1: References

[1] Group-IB: Dark Pink

https://www.group-ib.com/blog/dark-pink-apt/

Appendix 2: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.