The REF2924 group has been observed utilizing new types of malicious software in their assaults targeting organizations in Southeast and South Asia.
The malicious software known as NAPLISTENER was created with the intention to avoid detection through network-based methods. It is an HTTP listener coded in C# language and developed by Elastic Security Labs.
In 2022, an activity group identified as REF2924 was involved in attacks against both a target in Afghanistan and the Foreign Affairs Office of an ASEAN member country.
The tactics used by the hacker indicate similarities to another group known as ChamelGang, who were previously profiled by Positive Technologies, a Russian cybersecurity firm, in October of 2021.
It has been reported that the group's attacks have utilized Microsoft Exchange servers, which are accessible through the internet, to install malicious software like DOORME SIESTAGRAPH and ShadowPad.
The DOORME module is a type of malware that allows unauthorized remote access to a network and can also install other types of malicious software and computer tools.
SIESTAGRAPH utilizes Microsoft's Graph API to manage and control tasks through Outlook and OneDrive. It offers the ability to execute various commands via Command Prompt, transfer files to and from OneDrive, and capture screenshots.
ShadowPad is a type of concealed program that is sold exclusively and can be adjusted to provide unauthorized entry into computer systems, and is an evolution of PlugX that enables hackers to sustain ongoing access to breached machines, allowing them to execute shell directives and carry out further destructive actions.
The usage of ShadowPad is significant because it suggests a connection to Chinese hacking organizations that have employed the malware in multiple operations throughout time.
REF2924 has added a new malware tool to their growing collection - NAPLISTENER (wmdtc.exe). This malicious software pretends to be a genuine Microsoft service called Distributed Transaction Coordinator (msdtc.exe) in order to avoid detection and maintain continuous access.
According to security researcher Remco Sprooten, NAPLISTENER generates an HTTP request listener capable of handling incoming internet requests. It retrieves any data submitted, deciphers it from Base64 formatting and performs it in the system's memory.
According to the analysis of the code, it appears that the attacker is using code from open source projects available on GitHub to create their own tools, indicating that REF2924 might be actively refining a variety of cyber weapons.
In late December 2022, a Vietnamese group was attacked using an unfamiliar Windows backdoor known as PIPEDANCE. Its purpose was to assist in post-invasion and sideways movement activities involving Cobalt Strike. These results have been discovered as well.