HQ/EMEAFind out how we can help your business
The malicious threat group tracked by researchers as REF2924 has been deploying previous unseen malware, such as NAPLISTENER, in its attacks against South and Southeast Asian organisations.
According to reports, the NAPLISTENER malware is an HTTP listener that the actors programmed in C# could bypass network-based malware-detecting solutions.
Researchers stated that the threat group started its attacks during a cluster of malicious activities that attacked an entity in Afghanistan. Moreover, the group also targeted an organisation from the Foreign Affairs Office of an ASEAN constituent last year.
This threat group that unleashed the NAPLISTENER malware could be related to another hacking group.
The NAPLISTENER malware operators have a threat mechanic that overlaps with another hacking group called ChamelGang. Researchers explained that the attackers have exploited internet-accessible MS Exchange servers to launch backdoors like ShadowPad, SIESTAGRAPH, and DOORME.
ShadowPad is an exclusively sold modular backdoor allowing its operators to establish persistence on infected devices, run shell commands, and add more payloads. ShadowPad is prevalent among Chinese-affiliated threat groups since most have utilised the same malware for their attacks.
Next, SIESTAGRAPH adopts MS Graph API for its C2 via OneDrive and Outlook. Moreover, it could run arbitrary commands via Command Prompt, upload and download archives to and from OneDrive, and capture screenshots.
The last malware, DOORME, is an IIS backdoor module that could give its operators remote access to a compromised network and run additional malware strains and tools.
To make matters worse, REF2924 includes NAPLISTENER in the earlier-mentioned payloads. This newly added malware could impersonate a legitimate service MS Distributed Transaction Coordinator, to bypass security detections and obtain continued access to targeted networks.
Furthermore, NAPLISTENER generates an HTTP request listener that could process incoming requests from the internet. The malware could also read any data, decode it from Base64 format, and run it in memory.
Cybersecurity experts believe these threat actors borrow and repurpose code from open-source projects from a different attacker on GitHub. These repurposed codes are then improved by other threat actors, such as REF2924, to make it their malicious tool.
