HQ/EMEAFind out how we can help your business
An ongoing cybercriminal campaign has deployed the new SPECTRALVIPER backdoor malware to target Vietnamese public companies. The operators developed the backdoor as a heavily obfuscated malware that could launch x64 payload, upload and download archives, manipulate files and directories, and impersonate tokens.
Based on reports, the REF2754 threat group is the primary suspect for deploying such malware. Moreover, this threat group has several overlaps with other Viet cybercriminal organisations, such as Bismuth, Cobalt Kitty, OceanLotus, and APT32.
The threat actors utilised a system utility to load the SPECTRALVIPER.
The malware operators leveraged the SysInternals ProcDump to load an unsigned DLL archive, including the DONUTLOADER, which could also deploy the SPECTRALVIPER and other backdoor variants.
In addition, the malware developers created the SPECTRALVIPER to contact an attacker-controlled server that waits for further commands while executing obfuscation processes like control flow flattening to avoid threat analysis.
The attackers could also deploy the C++-coded P8LOADER to launch arbitrary payloads from a file or memory. Additionally, the attackers could use the payloads to run a PowerShell called POWERSEAL, which could operate PowerShell commands or scripts.
A separate researcher has also claimed that the REF2754 has tactical similarities with the REF4322 threat group. The researchers have also emphasised that both groups have primarily targeted Vietnam-based entities to launch post-exploitation implants called Rizzo.
Hence, the connections between the two groups have raised suspicions that they are part of a more extensive campaign that compromised private and public Vietnamese organisations.
These findings appeared as the infiltration campaign from REF2924 has been linked to another malware strain called SOMNIRECORD, which employs DNS queries to contact a remote server and avoid network security controls.
SOMNIRECORD uses an existing open-source project to execute its capabilities, allowing its operators to harvest information about an infected device, list all running processes, launch a webshell, and deploy any executable within the system.
Cybersecurity experts claimed that these attacks would continuously grow for the coming months since multiple threat groups are ganging up on a single targeted country. Vietnam-based organisations should set up layered security defences to keep these threats at bay.
