SPECTRALVIPER Malware
Vietnamese public companies have become targets of a sophisticated attack utilizing a newly identified backdoor called SPECTRALVIPER. SPECTRALVIPER is an advanced x64 backdoor that is heavily obfuscated and was previously undisclosed. This threatening tool possesses various capabilities, including PE loading and injection, file upload and download, file and directory manipulation, as well as token impersonation.
The threat actor behind these attacks has been identified and tracked as REF2754. This actor is associated with a Vietnamese threat group known by multiple names, including APT32, Canvas Cyclone (formerly Bismuth), Cobalt Kitty and OceanLotus. This suggests a connection between the ongoing campaign and the activities of this threat group.
Table of Contents
SPECTRALVIPER is Deployed Alongside Other Malware Threats
The threatening activities involve the utilization of the SysInternals ProcDump utility to facilitate the loading of an unsigned DLL file containing the DONUTLOADER. This loader is specifically configured to load SPECTRALVIPER, alongside other malware variants, such as P8LOADER and POWERSEAL.
SPECTRALVIPER, once loaded, establishes communication with a server controlled by the threat actor. It remains in a dormant state, awaiting further instructions. To evade analysis, SPECTRALVIPER employs obfuscation techniques like control flow flattening, making it more challenging to decipher its functionality.
P8LOADER, written in C++, possesses the capability to execute arbitrary payloads, either from a file or directly from memory. Additionally, the threat actors employ a customized PowerShell runner called POWERSEAL, which specializes in executing supplied PowerShell scripts or commands.
Multiple Threatening Capabilities Found in SPECTRALVIPER
SPECTRALVIPER exhibits a range of capabilities that contribute to its harmful activities. With its PE loading and injection functionality, SPECTRALVIPER can load and inject executable files, supporting both x86 and x64 architectures. This feature enables the malware to execute a bad code within legitimate processes, effectively camouflaging its activities and evading detection.
Another noteworthy capability of SPECTRALVIPER is its ability to impersonate security tokens. By impersonating these tokens, the malware can acquire elevated privileges, circumventing certain security measures in place. This unauthorized access grants the attacker the ability to manipulate sensitive resources and carry out actions beyond their authorized scope.
Furthermore, SPECTRALVIPER possesses the capability to download and upload files to and from the compromised system. This functionality allows the attacker to exfiltrate sensitive data from the victim's machine or deliver additional malicious payloads, expanding their control and persistence within the compromised environment.
In addition, the backdoor can manipulate files and directories on the compromised system. This includes creating, deleting, modifying, and moving files or directories. By exercising control over the victim's file system, the attacker gains extensive authority to manipulate and manipulate the files and directories to suit their objectives.
These capabilities collectively contribute to the threat posed by SPECTRALVIPER, enabling the attacker to execute various unsafe activities while maintaining persistence and control over the compromised system.
Potential Connection to Other Cybercriminal Groups
Notably, the activities associated with REF2754 exhibit tactical similarities with another threat group referred to as REF4322. The latter group is known for targeting Vietnamese entities primarily and deploying a post-exploitation implant known as PHOREAL (also known as Rizzo).
These connections have led to the hypothesis that both REF4322 and REF2754 activity groups may represent coordinated campaigns orchestrated by a Vietnamese threat entity affiliated with the state. The implications of this possibility underscore the potential involvement of nation-state actors in these sophisticated and targeted cyber operations.
