Hackers target South Asian government entities with KamiKakaBot malware

Suspected government-backed hackers are attacking military and government organizations in South Asia with malware called KamiKakaBot that is designed to steal sensitive information.

Researchers from Amsterdam-based cybersecurity firm EclecticIQ attributed the attacks to the advanced persistent threat (APT) group Dark Pink.

The group’s previous victims include military, government, religious and non-profit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina. In previous campaigns, Dark Pink's main goals were to conduct corporate espionage, steal documents, capture sound from microphones of infected devices, and exfiltrate messaging data, according to research by cybersecurity firm Group-IB.

At the time, researchers didn't have enough data to attribute the group to a particular country, but they concluded that it was probably based in the Asia-Pacific region given the location of the victims.

EclecticIQ's research findings suggest that Dark Pink may be linked to China, but cautioned that the evidence is inconclusive.

During their latest campaign in February, the hackers sent phishing emails to their victims claiming to be from European state officials.

In one of the emails obtained by researchers, the hackers imitated German state officials and urged the Indonesian government to expand cooperation between their countries in response to increased geopolitical tensions.

Dark Pink’s February campaign was nearly identical to previous attacks that Group-IB reported in January.

In both attacks, the group used ISO images that store copies of files or CDs/DVDs to deliver malware. Then, hackers executed the malware using a technique called DLL side-loading, where they tricked legitimate software into running malicious code.

The main difference between the two campaigns, according to EclecticIQ, is that the hackers improved their methods of avoiding detection, using legitimate tools to avoid security software.

KamiKakaBot malware

The malware used by the group — KamiKakaBot — is designed to steal sensitive information from popular web browsers like Chrome, Edge and Firefox. This includes passwords, browsing data, and cookies. The malware can also give hackers control over the device and allow them to run code remotely.

KamiKakaBot sends the stolen browser data to the attackers' Telegram bot channel in a compressed ZIP format, with the ZIP files named after the infected devices, allowing the attackers to categorize their victims.

The use of legitimate web services, such as Telegram, “remains the number one choice for different threat actors — from regular cybercriminals to APT group,” according to EclecticIQ.

EclecticIQ experts believe that the Dark Pink group will continue to enhance their tactics and techniques to avoid being detected by security experts, given their “creative” methods of gaining and sustaining access to their victims’ devices.