Mar 22, 2023Ravie Lakshmanan
The threat group tracked as REF2924 has been
observed deploying previously unseen malware in its attacks aimed
at entities in South and Southeast Asia.
The malware, dubbed NAPLISTENER[1]
by Elastic Security Labs, is an HTTP listener programmed in C# and
is designed to evade “network-based forms of detection.”
REF2924[2]
is the moniker assigned to an activity cluster linked to attacks
against an entity in Afghanistan as well as the Foreign Affairs
Office of an ASEAN member in 2022.
The threat actor’s modus operandi suggests overlaps with another
hacking group dubbed ChamelGang[3], which was documented by
Russian cybersecurity company Positive Technologies in October
2021.
Attacks orchestrated by the group are said to have exploited
internet-exposed Microsoft Exchange servers to deploy backdoors[4]
such as DOORME, SIESTAGRAPH, and ShadowPad.
DOORME, an Internet Information Services (IIS[5]) backdoor module,
provides remote access to a contested network and executes
additional malware and tools.
SIESTAGRAPH employs Microsoft’s Graph API[6]
for command-and-control via Outlook and OneDrive, and comes with
capabilities to run arbitrary commands through Command Prompt,
upload and download files to and from OneDrive, and take
screenshots.
ShadowPad[7]
is a privately sold modular backdoor and a successor[8] of PlugX[9], enabling threat actors
to maintain persistent access to compromised computers and run
shell commands and follow-on payloads.
The use of ShadowPad is noteworthy as it indicates a potential
link to China-based hacking groups, which are known to utilize the malware[10] in various campaigns
over the years.
To this list of expanding malware arsenal used by REF2924 joins
NAPLISTENER (“wmdtc.exe”), which masquerades as a legitimate
service Microsoft Distributed Transaction Coordinator (“msdtc.exe”)
in an attempt to fly under the radar and establish persistent
access.
WEBINAR
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.
“NAPLISTENER creates an HTTP request listener that can process
incoming requests from the internet, reads any data that was
submitted, decodes it from Base64 format, and executes it in
memory,” security researcher Remco Sprooten said.
Code analysis suggests the threat actor borrows or repurposes
code from open source projects hosted on GitHub to develop its own
tools, a sign that REF2924 may be actively honing a raft of cyber
weapons.
The findings also come as a Vietnamese organization was targeted
in late December 2022 by a previously unknown Windows backdoor
codenamed PIPEDANCE[12] to facilitate
post-compromise and lateral movement activities, including
deploying Cobalt Strike[13].
Found this article interesting? Follow us on Twitter [14] and LinkedIn[15] to read more exclusive
content we post.
References
- ^
NAPLISTENER
(www.elastic.co) - ^
REF2924
(thehackernews.com) - ^
ChamelGang
(thehackernews.com) - ^
deploy
backdoors (www.elastic.co) - ^
IIS
(thehackernews.com) - ^
Graph
API (learn.microsoft.com) - ^
ShadowPad
(thehackernews.com) - ^
successor
(asec.ahnlab.com) - ^
PlugX
(news.sophos.com) - ^
utilize the malware
(ics-cert.kaspersky.com) - ^
RESERVE YOUR SEAT
(thn.news) - ^
PIPEDANCE
(www.elastic.co) - ^
Cobalt
Strike (thehackernews.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/03/new-naplistener-malware-used-by-ref2924.html