Official forum for Utopia Community

You are not logged in.

#1 2023-03-22 15:56:18

Registered: 2023-01-04
Posts: 2,308

New Malware in the REF2924 Group's Arsenal to Avoid Detection

The REF2924 threat organization has been seen utilizing previously unseen malware in its attacks against entities in South and Southeast Asia.
Elastic Security Labs' NAPLISTENER malware is an HTTP listener written in C# that is designed to avoid "network-based forms of detection."
In 2022, an activity cluster called REF2924 was related to attacks on an entity in Afghanistan as well as the Foreign Affairs Office of an ASEAN member.
The threat actor's modus operandi shows overlap with another hacker group, ChamelGang, which was documented in October 2021 by Russian cybersecurity firm Positive Technologies.

The group's orchestrated attack may have used Microsoft Exchange servers exposed to the Internet to deploy backdoors such as DOORME, SIESTAGRAPH and ShadowPad. DOORME is an Internet Information Services (IIS) backdoor module that provides remote access to compromised networks and executes other malware and tools.

SIESTAGRAPH uses the Microsoft Graph API for command and control via Outlook and OneDrive, with the ability to run arbitrary commands via Command Prompt, upload and download files from OneDrive, and take screenshots. ShadowPad is a privately sold modular backdoor and successor to PlugX that allows threat actors to maintain permanent access to infected computers and run shell commands and subsequent payloads.

The use of ShadowPad is notable because it suggests possible links to Chinese hacking groups that have used malware in various campaigns over the years. Adding to this growing list of malware arsenals used by REF2924 is NAPLISTENER ("wmdtc.exe"), which masquerades as a legitimate service, Microsoft Distributed Transaction Coordinator ("msdtc.exe"), in an attempt to get under the radar and create persistent. access.

"NAPLISTENER creates an HTTP request listener that processes incoming requests from the Internet, reads all submitted data, decodes it from Base64 format and executes it in memory," said security researcher Remko Sprooten. Code analysis showed that threat actors borrowed or reused code from open source projects hosted on GitHub to develop their own tools, suggesting that REF2924 may be actively building various cyberweapons.

The findings come as the Vietnamese organization was targeted in late December 2022 against a previously unknown Windows backdoor codenamed PIPEDANCE to facilitate post-compromise and lateral displacement operations, including the deployment of Cobalt Strike.


Board footer

Powered by FluxBB