Threat group tracked as REF2924 has been observed deploying never-before-seen malware in attacks targeting entities in South and Southeast Asia.
malware called NAPLISTENER An HTTP listener, programmed in C#, by Elastic Security Labs, designed to evade “network-based detection”.
REF2924 is the moniker assigned to the activity cluster related to attacks against Afghan organizations and foreign affairs offices of ASEAN member states in 2022.
The threat actor’s modus operandi suggests overlap with another hacking group called ChamelGang, documented in October 2021 by Russian cybersecurity firm Positive Technologies.
Attacks orchestrated by this group exploited Internet-facing Microsoft Exchange servers to deploy a backdoor DOORME, SIESTAGRAPH, ShadowPad, etc.
DOORME, an Internet Information Services (IIS) backdoor module, provides remote access to competing networks to run additional malware and tools.
SIESTAGRAPH is Microsoft’s Graph API It is for command and control via Outlook and OneDrive and comes with the ability to execute arbitrary commands via Command Prompt, upload and download files to and from OneDrive, take screenshots, etc. increase.
ShadowPad is a private modular backdoor that successor of Plug XThis allows the attacker to maintain persistent access to the compromised computer and execute shell commands and subsequent payloads.
The use of ShadowPad is worth noting. take advantage of malware In various campaigns over the years.
NAPLISTENER (“wmdtc.exe”) joins this list of growing malware arsenals used by REF2924. NAPLISTENER (“wmdtc.exe”) attempts to fly under the radar and establish persistent access by impersonating a legitimate service of Microsoft Distributed Transaction Coordinator (“msdtc.exe”).
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
“NAPLISTENER creates an HTTP request listener that can handle incoming requests from the internet, reads the data sent, decodes it from Base64 format, and runs it in memory,” says security researcher Remco Sprooten. says.
Code analysis suggests that threat actors are borrowing or repurposing code from open source projects hosted on GitHub to develop their own tools.
This finding is also attributed to Vietnamese organizations being targeted in late December 2022 by a previously unknown Windows backdoor codename. pipe dance To facilitate post-compromise lateral movement activities, including the deployment of Cobalt Strike.
