A new wave of cyber threats is making its way towards public companies in Vietnam, brought on by a previously unseen backdoor known as SPECTRALVIPER.
Unveiling the SPECTRALVIPER backdoor
According to a recent report from Elastic Security Labs, SPECTRALVIPER presents an advanced, concealed x64 backdoor capable of file and directory manipulation, token impersonation, and PE loading and injection. The group behind the attack is codenamed REF2754 and believed to be connected with the Vietnamese APT32 group, also known as Canvas Cyclone, Cobalt Kitty, and OceanLotus.
Previously, Meta had associated these cyber activities with CyberOne Group, a cybersecurity firm, back in December 2020.
The latest attack strategy uncovered by Elastic involves the use of the SysInternals ProcDump tool to load an unsigned DLL file, housing DONUTLOADER. This loader then proceeds to activate SPECTRALVIPER and other malware like P8LOADER or POWERSEAL.
The capabilities of SPECTRALVIPER
The SPECTRALVIPER backdoor is designed to establish a link with a server under the hacker’s control. It awaits further instructions while using obfuscation techniques to evade analysis.
Written in C++, P8LOADER is capable of initiating arbitrary payloads from a file or memory. POWERSEAL, a custom PowerShell runner, is also used to run provided PowerShell scripts or commands.
The tactics employed by REF2754 align with those of REF4322, another group known for targeting Vietnamese entities with a post-exploitation implant named PHOREAL. This link raises suspicions of state-affiliated cyber-attacks being orchestrated in Vietnam.
The SOMNIRECORD malware
Alongside these revelations, another malware, SOMNIRECORD, is connected to the intrusion set known as REF2924. This malware uses DNS queries to communicate with a remote server and circumvent network security controls. It repurposes existing open-source projects to expand its capabilities and counter any attribution attempts.
Are you, our esteemed readers, concerned about the escalating threat of state-affiliated cyber espionage? We would love to hear your thoughts on SPECTRALVIPER and its potential implications. Please share your views in the comments below!
{{user}} {{datetime}}
{{text}}