New NAPLISTENER Malware Used by REF2924 Group to Evade Network Detection
The threat group tracked as REF2924 has been observed deploying previously unseen malware in its attacks aimed at entities in South and Southeast Asia.
The malware, dubbed NAPLISTENER by Elastic Security Labs, is an HTTP listener programmed in C# and is designed to evade “network-based forms of detection.”
REF2924 is the moniker assigned to an activity cluster linked to attacks against an entity in Afghanistan as well as the Foreign Affairs Office of an ASEAN member in 2022.
The threat actor’s modus operandi suggests overlaps with another hacking group dubbed ChamelGang, which was documented by Russian cybersecurity company Positive Technologies in October 2021.
Attacks orchestrated by the group are said to have exploited internet-exposed Microsoft Exchange servers to deploy backdoors such as DOORME, SIESTAGRAPH, and ShadowPad.
DOORME, an Internet Information Services (IIS) backdoor module, provides remote access to a contested network and executes additional malware and tools.
SIESTAGRAPH employs Microsoft’s Graph API for command-and-control via Outlook and OneDrive, and comes with capabilities to run arbitrary commands through Command Prompt, upload and download files to and from OneDrive, and take screenshots.
ShadowPad is a privately sold modular backdoor and a successor of PlugX, enabling threat actors to maintain persistent access to compromised computers and run shell commands and follow-on payloads.
The use of ShadowPad is noteworthy as it indicates a potential link to China-based hacking groups, which are known to utilize the malware in various campaigns over the years.
To this list of expanding malware arsenal used by REF2924 joins NAPLISTENER (“wmdtc.exe”), which masquerades as a legitimate service Microsoft Distributed Transaction Coordinator (“msdtc.exe”) in an attempt to fly under the radar and establish persistent access.
“NAPLISTENER creates an HTTP request listener that can process incoming requests from the internet, reads any data that was submitted, decodes it from Base64 format, and executes it in memory,” security researcher Remco Sprooten said.
Code analysis suggests the threat actor borrows or repurposes code from open source projects hosted on GitHub to develop its own tools, a sign that REF2924 may be actively honing a raft of cyber weapons.
The findings also come as a Vietnamese organization was targeted in late December 2022 by a previously unknown Windows backdoor codenamed PIPEDANCE to facilitate post-compromise and lateral movement activities, including Cobalt Strike.