NAPLISTENER

Recently, the threat group known as REF2924 has been targeting various entities in South and Southeast Asia using a new type of malware. The malware is tracked as NAPLISTENER and is a type of HTTP listener that was created using the programming language C#. NAPLISTENER has not been seen before, making it a previously unknown malware threat. Details about it were released in a report by the infosec researchers.

NAPLISTENER appears to have been designed specifically to evade 'network-based forms of detection.' This means that traditional detection methods that rely on network traffic analysis may not be effective in detecting NAPLISTENER. It is important to note that REF2924 has a history of using advanced and sophisticated tactics in their attacks. Therefore, this new development should serve as a warning to organizations in the targeted regions to remain vigilant and prioritize their cybersecurity measures to protect themselves from potential attacks by REF2924.

The REF2924 Hacker Group Expands Its Threatening Arsenal

The name 'REF2924' refers to a group of cyber attackers who have been involved in carrying out attacks against a target in Afghanistan as well as the Foreign Affairs Office of an ASEAN member back in 2022. These attackers are believed to share similar tactics, techniques, and procedures with another hacking group known as 'ChamelGang,' which was identified by Positive Technologies, a cybersecurity company from Russia, in October 2021.

The group's primary method of attack involves exploiting Microsoft Exchange servers that are exposed to the internet. They use this vulnerability to install backdoors such as DOORME, SIESTAGRAPH, and ShadowPad on the targeted systems. The use of ShadowPad is particularly notable, as it suggests a possible connection to Chinese hacking groups that have previously used this malware in various cyber campaigns.

NAPLISTENER Poses as a Legitimate Service

The REF2924 hacking group has added a new weapon to their ever-expanding arsenal of malware. This new malware, known as NAPLISTENER and deployed as a file named 'wmdtc.exe,' is designed to disguise itself as a legitimate Microsoft Distributed Transaction Coordinator service ('msdtc.exe'). The aim of this disguise is to evade detection and gain long-term access to the targeted system.

NAPLISTENER creates an HTTP request listener that can receive incoming requests from the internet. It then reads any submitted data, decodes it from Base64 format, and executes it in memory. Analysis of the malware's code suggests that REF2924 borrowed or repurposed code from open-source projects hosted on GitHub. This indicates that the group may be actively refining and improving its cyber weapons, potentially making it even more difficult for security researchers to detect and defend against their attacks.