REF2924, an threat activity group known for targeting Afghanistan and an ASEAN member in 2022, has been observed shifting its motives from data espionage to persistent access inside targeted networks. It recently added a new tool to its arsenal in the form of a backdoor named NAPLISTENER.
A bit about NAPLISTENER
Elastic Security Labs researchers found REF2924 targeting entities in South and Southeast Asia with NAPLISTENER.
- It (Wmdtc[.]exe) is a C#-based backdoor that pretends to be the legitimate Microsoft Distributed Transaction Coordinator (msdtc[.]exe) to evade detection and establish persistence.
- It creates an HTTP request Listener to accept and process the incoming requests and filters the malware commands so that they can be blended with legitimate web traffic.
- Additionally, it reads the submitted data, decodes it, and runs it in memory.
The analysis of the NAPLISTENER source code, specifically identical debugging strings and logic implementation, indicates that REF2924 has borrowed the code from the open-source GitHub project SharpMemshell.
Other tools and tactics up in the sleeve
Along with NAPLISTENER, the group has been observed using several additional tools during its recent campaigns.
- Actors target Microsoft Exchange Servers exposed to the internet to deploy several backdoors, including SIESTAGRAPH, DOORME, and ShadowPad.
- DOORME is an IIS-based backdoor module, that allows attackers to remotely access the targeted network and deploy more malware.
- SIESTAGRAPH abuses Microsoft's Graph API to communicate with the C2 via Outlook and OneDrive. It is capable of uploading and downloading files to and from OneDrive and executing arbitrary commands via command prompt.
- ShadowPad is a successor of PlugX, that allows attackers to establishing persistence, run shell scripts on the infected machines, and deploy additional payloads when required.
End notes
The use of open-source projects and legitimate network artifacts indicate that REF2924 is planning to shift toward persistence and evasion of network-based security. Such attack attempts can be checked by implementing an endpoint-based network detection system commonly known as endpoint detection and response or EDR.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/19d2_shutterstock_240941041.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/08e4_shutterstock_2240986425.jpg)
