VTA-00434 – New APT Group Found Targeting Government Organizations in APAC
These threat actors are leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups. They leverage a custom toolkit, featuring TelePowerBot, KamiKakaBot, and Cucky and Ctealer information stealers (all names dubbed by Group-IB) with the aim of stealing confidential documentation held on the networks of government and military organizations.It is important to note that the bulk of the attacks were based on PowerShell scripts or commands that aimed to launch communication between the infected networks and the threat actors’ infrastructure.
The attackers gained initial access through spear-phishing emails, with one example posing as a job applicant applying for a PR and Communications internship. The emails contain a shortened URL leading to a file-sharing service called MediaFire, where victims are given the option to download an ISO image containing all the files necessary for the attackers to infect the victim’s network. The ISO images include three types of files: a signed executable file, a non-malicious decoy document, and a malicious DLL file. The attackers use DLL Side-Loading to confuse victims into executing the .exe file, which then runs the malicious DLL file, leading to persistence for TelePowerBot in the infected machine’s registry. It is also not impossible where the threat actor sends the malicious ISO image as a direct attachment to the victim via email.
The ISO images sent in the spear-phishing emails contained varying numbers of files. However, there are three types of file found in all of the ISO images sent by the threat actors: a signed executable file, a nonmalicious decoy document (e.g. .doc, .pdf, or .jpg), and a malicious DLL file. The threat actors include an .exe file in the ISO image that mimics a MS Word file. The file contains “.doc” in the file name and contains the MS Word icon as a means of confusing the victim and thinking that the file is safe to open. Should the victim execute the .exe file first, the malicious DLL file, located in the same folder as the .exe file, will run automatically. This is a technique used by threat actors known as DLL Side-Loading.
The primary goal of this DLL file is to gain persistence for TelePowerBot in the registry of the infected machine. In some cases, the DLL file can also launch the threat actors’ proprietary stealer Stealer, which parses data from browsers on the victim’s machine and stores it in a local folder. It is important to note at this stage that the DLL files are packed. When the file is launched, it decrypts itself and passes control to an unpacked version of itself. Upon completion of this step, a command to start TelePowerBot will be added to autorun. This means that TelePowerBot will be launched each time the user logs into their system. This is facilitated by creating a registry key by path HKCU\Environment\UserInitMprLogonScript.
The malware is also known to propagate itself using USB drives where it will automatically create a .LNK file on every USB drive which is used on the infected machine. Then, the malware will also download the TeleBotDropper and store it in the USB drive. When a user access this USB drive and open this .LNK file, it will read registry key, decrypt, and launch TelePowerBot, which are then transferred to the new machine.
Dark Pink threat actors can also leverage their self-made stealers Cucky and Ctealer to draw data from infected machines. The attackers can also use their custom information stealers, Cucky and Ctealer, to extract data such as passwords, history, logins, and cookies from web browsers, which are saved to files and do not require an internet connection. Both of the stealers can be downloaded from the threat actors’ Github account automatically by commands issued by the malware.
Defense Evasion, Execution, Exfiltration, Initial Access, Lateral Movement, Persistence
Phishing, DLL-Side Loading, Template Injection, Masquerade, Replication through Removable Media, Deobfuscate/Decode Files or Information
Active Defense Tactics:
Active Defense Techniques:
Baseline, Email Manipulation, Migrate Attack Vector, Security Controls, Software Manipulation, User Training
SuperPRO’s Threat Countermeasures Procedures:
1. Adding the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC to create a custom rule to block the respective File Hashes and Hostname.
2. Use modern email protection measures to prevent initial compromise via spear-phishing emails.
3. Ensure employees are instructed on Phishing and how to recognize Phishing attmepts.
4. Implement zero-trust policy to mitigate damage inside the organization
5. Enable auto-updates to ensure software/program is always up to date.
6. Antimalware tool should be deployed and regularly updated.
7. IDS/IPS should be configured properly.
Contributed by: Aman