Threat group tracked as Ref2924 has been observed deploying never-before-seen malware in attacks targeting entities in South and Southeast Asia.
The malware, dubbed NAPLISTENER by Elastic Security Labs, is an HTTP listener programmed in C# and designed to evade “network-based detection.”
REF2924 is the moniker assigned to the activity cluster related to attacks against Afghan organizations and foreign affairs offices of ASEAN member states in 2022.
The threat actor’s modus operandi suggests overlap with another hacking group called ChamelGang, documented in October 2021 by Russian cybersecurity firm Positive Technologies.
Attacks orchestrated by this group are said to have exploited Internet-facing Microsoft Exchange servers to deploy backdoors such as DOORME, SIESTAGRAPH, and ShadowPad.
DOORME, an Internet Information Services (IIS) backdoor module, provides remote access to competing networks to run additional malware and tools.
SIESTAGRAPH employs Microsoft’s Graph API for command and control via Outlook and OneDrive, allowing you to execute arbitrary commands via Command Prompt, upload and download files to and from OneDrive, and take screenshots. It has the ability to take pictures.
ShadowPad is a closed modular backdoor and successor to PlugX that allows attackers to maintain persistent access to a compromised computer and execute shell commands and subsequent payloads.
The use of ShadowPad is notable as it indicates a potential link to a China-based hacking group known to utilize malware in various campaigns over the years.
NAPLISTENER (“wmdtc.exe”) joins this list of growing malware arsenals used by REF2924. NAPLISTENER (“wmdtc.exe”) attempts to fly under the radar and establish persistent access by impersonating a legitimate service of Microsoft Distributed Transaction Coordinator (“msdtc.exe”).
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
“NAPLISTENER creates an HTTP request listener that can handle incoming requests from the internet, reads the data sent, decodes it from Base64 format, and runs it in memory,” says security researcher Remco Sprooten. says.
Code analysis suggests that threat actors are borrowing or repurposing code from open source projects hosted on GitHub to develop their own tools.
The findings indicate that in late December 2022, a Vietnamese organization will deploy a previously unknown Windows background codenamed PIPEDANCE to facilitate post-compromise and lateral movement activities, including the deployment of Cobalt Strike. It also comes from being targeted at the door.
