Vietnamese public companies have been targeted as part of an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER.
“SPECTRALVIPER is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities,” Elastic Security Labs said in a Friday report.
The attacks have been attributed to an actor it tracks as REF2754, which overlaps with a Vietnamese threat group known as APT32, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus.
Meta, in December 2020, linked the activities of the hacking crew to a cybersecurity company named CyberOne Group.
In the latest infection flow unearthed by Elastic, the SysInternals ProcDump utility is leveraged to load an unsigned DLL file that contains DONUTLOADER, which, in turn, is configured to load SPECTRALVIPER and other malware such as P8LOADER or POWERSEAL.
SPECTRALVIPER is designed to contact an actor-controlled server and awaits further commands while also adopting obfuscation methods like control flow flattening to resist analysis.
P8LOADER, written in C++, is capable of launching arbitrary payloads from a file or from memory. Also used is a purpose-built PowerShell runner named POWERSEAL that’s equipped to run supplied PowerShell scripts or commands.
REF2754 is said to share tactical commonalities with another group dubbed REF4322, which is known to primarily target Vietnamese entities to deploy a post-exploitation implant referred to as PHOREAL (aka Rizzo).
The connections have raised the possibility that “both REF4322 and REF2754 activity groups represent campaigns planned and executed by a Vietnamese state-affiliated threat.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
The findings come as the intrusion set dubbed REF2924 has been tied to yet another piece of malware called SOMNIRECORD that employs DNS queries to communicate with a remote server and bypass network security controls.
SOMNIRECORD, like NAPLISTENER, makes use of existing open source projects to hone its capabilities, enabling it to retrieve information about the infected machine, list all running processes, deploy a web shell, and launch any executable already present in the system.
“The use of open source projects by the attacker indicates that they are taking steps to customize existing tools for their specific needs and may be attempting to counter attribution attempts,” the company said.