KamiKakaBot

A new wave of cyberattacks has been detected, targeting government and military organizations in Southeast Asian countries. These attacks are attributed to the Dark Pink APTAdvanced Persistent Threat (Advanced Persistent Threat) group, also known as Saaiwc. Among the custom tools used by Dark Pink are TelePowerBot and KamiKakaBot, which allow the group to execute arbitrary commands and steal sensitive data from the infected devices.

Dark Pink is believed to originate from the Asia-Pacific region and has been active since at least mid-2021. However, its activities escalated in 2022 and 2023, as evidenced by the recent attacks on government and military entities in Southeast Asia. The use of sophisticated malware such as KamiKakaBot underscores the group's capabilities and determination to achieve its objectives. These attacks pose a serious threat to national security and highlight the need for heightened vigilance and proactive measures to mitigate the risk of cyberattacks.

The Hackers Use Phishing Tactics and Decoy Documents

According to a recent report from Dutch cybersecurity firm EclecticIQ, a new wave of attacks was discovered in February 2023 that closely resembled previous attacks. However, there was one significant difference in this campaign - the malware's obfuscation routine was improved to better avoid detection by anti-malware measures.

The attacks follow a social engineering strategy that involves sending email messages containing ISO image file attachments to unsuspecting targets. The ISO image file contains three components: an executable (Winword.exe), a loader (MSVCR100.dll), and a decoy Microsoft Word document. The Word document is a distraction, while the loader is responsible for loading the KamiKakaBot malware.

To evade security protections, the loader uses the DLL side-loading method to load KamiKakaBot into the memory of the Winword.exe binary. This method allows the malware to bypass security measures that would otherwise prevent it from executing.

KamiKakaBot Can Steal Sensitive Information from the Breached Devices

KamiKakaBot is a malicious software program designed to infiltrate web browsers and steal sensitive data. This malware is also capable of executing remote code using Command Prompt (cmd.exe). To evade detection, the malware incorporates sophisticated techniques to blend in with the victim's environment and avoid detection.

Once a host is compromised, the malware establishes persistence by abusing the Winlogon Helper library to make malicious modifications to the Windows Registry key. This allows the malware to remain undetected and continue to carry out its malicious activities. The stolen data is then sent to a Telegram bot as a ZIP archive.

According to cybersecurity experts, the use of legitimate web services such as Telegram as a Command-and-Control (C2, C&C) server is a common tactic used by threat actors. This approach makes it more difficult to detect and shut down the malware, as the traffic appears to be legitimate communication with the web service. These tactics are employed not only by regular cybercriminals but also by advanced persistent threat actors.

Given the increasing sophistication of these attacks, it is critical for organizations to take proactive measures to prevent cyberattacks. This includes implementing robust security measures to protect against malware, keeping software up-to-date, and educating employees on how to identify and avoid phishing attacks.