New NAPLISTENER Malware Utilized by REF2924 Group to Evade Community Detection

Mar 22, 2023Ravie LakshmananCommunity Safety / Cyber Menace

The risk group tracked as REF2924 has been noticed deploying beforehand unseen malware in its assaults geared toward entities in South and Southeast Asia.

The malware, dubbed NAPLISTENER by Elastic Safety Labs, is an HTTP listener programmed in C# and is designed to evade “network-based types of detection.”

REF2924 is the moniker assigned to an exercise cluster linked to assaults towards an entity in Afghanistan in addition to the International Affairs Workplace of an ASEAN member in 2022.

The risk actor’s modus operandi suggests overlaps with one other hacking group dubbed ChamelGang, which was documented by Russian cybersecurity firm Optimistic Applied sciences in October 2021.

Assaults orchestrated by the group are stated to have exploited internet-exposed Microsoft Change servers to deploy backdoors comparable to DOORME, SIESTAGRAPH, and ShadowPad.

DOORME, an Web Info Companies (IIS) backdoor module, supplies distant entry to a contested community and executes extra malware and instruments.

SIESTAGRAPH employs Microsoft’s Graph API for command-and-control by way of Outlook and OneDrive, and comes with capabilities to run arbitrary instructions via Command Immediate, add and obtain information to and from OneDrive, and take screenshots.

ShadowPad is a privately bought modular backdoor and a successor of PlugX, enabling risk actors to take care of persistent entry to compromised computer systems and run shell instructions and follow-on payloads.

The usage of ShadowPad is noteworthy because it signifies a possible hyperlink to China-based hacking teams, that are identified to utilize the malware in numerous campaigns over time.

To this checklist of increasing malware arsenal utilized by REF2924 joins NAPLISTENER (“wmdtc.exe”), which masquerades as a reliable service Microsoft Distributed Transaction Coordinator (“msdtc.exe”) in an try and fly beneath the radar and set up persistent entry.

“NAPLISTENER creates an HTTP request listener that may course of incoming requests from the web, reads any knowledge that was submitted, decodes it from Base64 format, and executes it in reminiscence,” safety researcher Remco Sprooten stated.

Code evaluation suggests the risk actor borrows or repurposes code from open supply tasks hosted on GitHub to develop its personal instruments, an indication that REF2924 could also be actively honing a raft of cyber weapons.

The findings additionally come as a Vietnamese group was focused in late December 2022 by a beforehand unknown Home windows backdoor codenamed PIPEDANCE to facilitate post-compromise and lateral motion actions, together with Cobalt Strike.