The
threat
group
tracked
as
REF2924
has
been
observed
deploying
previously
unseen
malware
in
its
attacks
aimed
at
entities
in
South
and
Southeast
Asia.
The
malware,
dubbed
NAPLISTENER
by
Elastic
Security
Labs,
is
an
HTTP
listener
programmed
in
C#
and
is
designed
to
evade “network-based
forms
of
detection.”
REF2924
is
the
moniker
assigned
to
an
activity
cluster
linked
to
attacks
against
an
entity
in
Afghanistan
as
well
as
the
Foreign
Affairs
Office
of
an
ASEAN
member
in
2022.
The
threat
actor’s
modus
operandi
suggests
overlaps
with
another
hacking
group
dubbed
ChamelGang,
which
was
documented
by
Russian
cybersecurity
company
Positive
Technologies
in
October
2021.
Attacks
orchestrated
by
the
group
are
said
to
have
exploited
internet-exposed
Microsoft
Exchange
servers
to
deploy
backdoors
such
as
DOORME,
SIESTAGRAPH,
and
ShadowPad.
DOORME,
an
Internet
Information
Services
(IIS)
backdoor
module,
provides
remote
access
to
a
contested
network
and
executes
additional
malware
and
tools.
SIESTAGRAPH
employs
Microsoft’s
Graph
API
for
command-and-control
via
Outlook
and
OneDrive,
and
comes
with
capabilities
to
run
arbitrary
commands
through
Command
Prompt,
upload
and
download
files
to
and
from
OneDrive,
and
take
screenshots.
ShadowPad
is
a
privately
sold
modular
backdoor
and
a
successor
of
PlugX,
enabling
threat
actors
to
maintain
persistent
access
to
compromised
computers
and
run
shell
commands
and
follow-on
payloads.
The
use
of
ShadowPad
is
noteworthy
as
it
indicates
a
potential
link
to
China-based
hacking
groups,
which
are
known
to
utilize
the
malware
in
various
campaigns
over
the
years.
To
this
list
of
expanding
malware
arsenal
used
by
REF2924
joins
NAPLISTENER
(“wmdtc.exe”),
which
masquerades
as
a
legitimate
service
Microsoft
Distributed
Transaction
Coordinator
(“msdtc.exe”)
in
an
attempt
to
fly
under
the
radar
and
establish
persistent
access.
WEBINAR
Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps
Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.
“NAPLISTENER
creates
an
HTTP
request
listener
that
can
process
incoming
requests
from
the
internet,
reads
any
data
that
was
submitted,
decodes
it
from
Base64
format,
and
executes
it
in
memory,”
security
researcher
Remco
Sprooten
said.
Code
analysis
suggests
the
threat
actor
borrows
or
repurposes
code
from
open
source
projects
hosted
on
GitHub
to
develop
its
own
tools,
a
sign
that
REF2924
may
be
actively
honing
a
raft
of
cyber
weapons.
The
findings
also
come
as
a
Vietnamese
organization
was
targeted
in
late
December
2022
by
a
previously
unknown
Windows
backdoor
codenamed
PIPEDANCE
to
facilitate
post-compromise
and
lateral
movement
activities,
including
deploying
Cobalt
Strike.
