Vietnamese public companies have recently become targets of a sophisticated cyber attack campaign involving a new type of backdoor called SPECTRALVIPER. Elastic Security Labs, in their report, described SPECTRALVIPER as an advanced backdoor that allows attackers to perform various malicious activities, including file manipulation, token impersonation, and file upload and download. The campaign has been attributed to a threat group known as REF2754, which overlaps with APT32, Canvas Cyclone, Cobalt Kitty, and OceanLotus.
Notably, there have been connections linking REF2754 to another group called REF4322, which primarily targets Vietnamese organizations with a post-exploitation implant called PHOREAL. These connections have led to speculation that both REF4322 and REF2754 may be part of a larger Vietnamese state-affiliated cyber threat.
In their operations, the attackers utilize various techniques to evade detection and analysis. They leverage the SysInternals ProcDump utility to load an unsigned DLL file containing the DONUTLOADER, which in turn loads SPECTRALVIPER and other malware such as P8LOADER and POWERSEAL. SPECTRALVIPER employs obfuscation methods and establishes communication with a server controlled by the attackers while waiting for further instructions. P8LOADER, written in C++, has the capability to execute arbitrary payloads, and POWERSEAL, a specialized PowerShell runner, is used to run supplied PowerShell scripts or commands.
Adding to the complexity, a separate intrusion set referred to as REF2924 has been associated with another malware called SOMNIRECORD. SOMNIRECORD employs DNS queries to communicate with a remote server, bypassing network security controls. Similar to NAPLISTENER, SOMNIRECORD utilizes open source projects to enhance its capabilities, enabling it to gather information about infected machines, list running processes, deploy a web shell, and execute any existing executable files on the compromised system.
The use of open source projects by the attackers suggests their intention to customize existing tools to suit their specific needs and possibly hinder attribution efforts. These findings highlight the need for heightened cybersecurity measures and vigilance to protect against such advanced and persistent threats.
