Dark Pink APT Attacks

MITRE Techniques

• [T1566] Phishing – The attackers used spear-phishing emails to gain initial access. ‘A large part of the success of Dark Pink was down to the spear-phishing emails used to gain initial access. The emails contain a shortened URL linking to a free-to-use file sharing site, where the victim is presented with the option to download an ISO image that contains all the files needed for the threat actors to infect the victim’s network.’
• [T1566.001] Spearphishing Attachment – The emails contain a shortened URL linking to a free-to-use file sharing site, where the victim is presented with the option to download an ISO image that contains all the files needed for the threat actors to infect the victim’s network. ‘The emails contain a shortened URL linking to a free-to-use file sharing site, where the victim is presented with the option to download an ISO image that contains all the files needed for the threat actors to infect the victim’s network.’
• [T1204] User Execution – The spear-phishing workflow implies user interaction to download and potentially execute the malicious ISO payload. ‘…to infect the victim’s network.’
• [T1059.001] PowerShell – TelePowerBot commands are executed via PowerShell. ‘[TelePowerBot] awaits PowerShell commands from this channel, which it then executes.’
• [T1547] Boot or Logon Autostart Execution – TelePowerBot uses a registry implant that activates during system boot through a script. ‘A registry implant that activates during system boot through a script…’
• [T1102] Web Service – Data exfiltration via HTTP and webhook services. ‘utilized the HTTP protocol and a Webhook service to exfiltrate the stolen data.’