A previously unseen malware named NAPLISTENER has been discovered by Elastic Security Labs being used by REF2924, a threat group operating in South and Southeast Asia.
The malware is programmed in C# and functions as an HTTP listener, designed to evade network-based detection. REF2924 was observed attacking an entity in Afghanistan as well as a foreign affairs office of an ASEAN member in 2022. The modus operandi of the group suggests overlaps with the Russian hacking group ChamelGang, which was identified by Positive Technologies in October 2021.
The group has exploited Microsoft Exchange servers to deploy backdoors, such as DOORME, SIESTAGRAPH, and ShadowPad.
DOORME, an IIS backdoor module, allows remote access to a network, while SIESTAGRAPH employs Microsoft’s Graph API for command-and-control via Outlook and OneDrive, and can run arbitrary commands, upload and download files to and from OneDrive, and take screenshots.
ShadowPad is a modular backdoor enabling threat actors to maintain persistent access to compromised computers and run shell commands and follow-on payloads. The use of ShadowPad suggests a potential link to China-based hacking groups known to utilize the malware in various campaigns over the years.
In an attempt to establish persistent access, NAPLISTENER masquerades as a legitimate service, Microsoft Distributed Transaction Coordinator, using the name wmdtc.exe.
The malware creates an HTTP request listener that processes incoming requests from the internet, reads any data that was submitted, decodes it from Base64 format, and executes it in memory. Code analysis suggests that REF2924 borrows or repurposes code from open-source projects hosted on GitHub to develop its own tools, indicating that the group may be actively honing its cyber weapons.
The discovery of NAPLISTENER highlights the threat posed by advanced and persistent cyber-attacks on organizations in the region.
