{"id":7254,"date":"2021-11-02T16:50:31","date_gmt":"2021-11-02T23:50:31","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7254"},"modified":"2024-08-07T12:18:12","modified_gmt":"2024-08-07T19:18:12","slug":"new-threat-actor-pink-boa","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/new-threat-actor-pink-boa\/","title":{"rendered":"New Threat Actor: PINK BOA"},"content":{"rendered":"

Author: Ma\u00ebl Le Touz<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

Since the beginning of 2021, Infoblox has been tracking a threat actor, whom we have named PINK BOA. The actor has been highly active throughout this period, but the campaigns have intensified even further over the past several weeks.<\/p>\n

PINK BOA uses a dictionary DGA (DDGA) algorithm to generate hostnames at random, and it uses thousands of IPs owned by the U.S.-based hosting provider Digital Ocean and spread out across the world. The results of a scan we performed on public reports suggest that most of the compromised IP addresses have vulnerabilities that can be exploited by remotely executing malicious code.<\/p>\n

2. Customer impact<\/h3>\n

To extend its reach, PINK BOA has translated the email message into Spanish, Italian, German, and other languages. This has allowed the actor to send the message to targets in multiple countries and to keep the overall volume of emails very high.<\/p>\n

PINK BOA harvests credentials and other sensitive information by using Agent Tesla,1<\/sup> Groooboor, Formbook,2<\/sup> STRRAT,3<\/sup> Snake Keylogger,4<\/sup> AveMaria,5<\/sup> GuLoader,6<\/sup> and other malware-as-a-service (MaaS) infostealers.<\/p>\n

3. Campaign analysis<\/h3>\n

To lure a target into opening the email, the actor uses the words invoice, quotation, and purchase order in the subject lines. Attached to the emails is an archive that contains either an executable or an infected Microsoft Office file.<\/p>\n

PINK BOA uses phishing templates packaged as HTA archives. On Microsoft Windows machines, these files automatically open in Internet Explorer and attempt to trick the victims into entering their passwords. Each such file is customized to show the recipient’s email address.<\/p>\n

4. Attack chain<\/h3>\n

After the user expands the archive attachment, the file\u2019s code proceeds to exploit an old vulnerability in Office, such as CVE 2017-1182.7<\/sup><\/p>\n

To avoid detection, PINK BOA stores most of its code on a server and downloads it only when the victim interacts with the malware in the attachment.
\nPINK BOA has a number of distinguishing characteristics:<\/p>\n