New SPECTRALVIPER Backdoor Targets Vietnamese Public Companies
Vietnamese public companies have been targeted as part of an ongoing campaign spreading a new backdoor called SPECTRALVIPER.
“SPECTRALVIPER is a highly obfuscated, previously undisclosed, x64 backdoor that features PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities,” Elastic Security Labs said in Friday’s report.
The attack was attributed to an actor it tracked as REF2754, which overlaps with Vietnamese threat groups known as APT32, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus.
Meta, in December 2020, linked the hacking crew’s activity to a cybersecurity company called CyberOne Group.
In the latest infection stream unearthed by Elastic, SysInternals ProcDump the utility is exploited to load unsigned DLL files containing DONUTLOADER, which, in turn, are configured to load SPECTRALVIPER and other malware such as P8LOADER or POWERSEAL.
SPECTRALVIPER is designed to contact a server controlled by an actor and wait for further commands while adopting an incognito-like method control flow alignment to refuse analysis.
P8LOADER, written in C++, is capable of launching random loads from a file or from memory. Also used is a specially built PowerShell runner called POWERSEAL which is equipped to run provided PowerShell scripts or commands.
REF2754 is said to share tactical similarities with other dubbed groups REF4322which is known to primarily target Vietnamese entities to deploy post-exploit implants referred to as PHOREAL (aka Rizzo).
Such connections have raised the possibility that “the activity groups REF4322 and REF2754 represent campaigns planned and executed by Vietnam-affiliated threats.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Find untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
This finding comes when the intrusion set dubbed REF2924 has been linked to another malware called SOMNIRECORD which uses DNS queries to communicate with remote servers and bypass network security controls.
SOMNIRECORD, like NAPLISTENER, took advantage of existing open source projects to hone its capabilities, allowing it to retrieve information about the infected machine, list all running processes, deploy a web shell, and launch any executable already on the system.
“The attacker’s use of an open source project indicates that they are taking steps to adapt existing tools to their particular needs and may be seeking to counter attribution attempts,” the company said.
