New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies

2023-06-10 12:04

Vietnamese public companies have been targeted as part of an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER. "SPECTRALVIPER is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities," Elastic Security Labs said in a Friday report.

The attacks have been attributed to an actor it tracks as REF2754, which overlaps with a Vietnamese threat group known as APT32, Canvas Cyclone, Cobalt Kitty, and OceanLotus.

Meta, in December 2020, linked the activities of the hacking crew to a cybersecurity company named CyberOne Group.

In the latest infection flow unearthed by Elastic, the SysInternals ProcDump utility is leveraged to load an unsigned DLL file that contains DONUTLOADER, which, in turn, is configured to load SPECTRALVIPER and other malware such as P8LOADER or POWERSEAL. SPECTRALVIPER is designed to contact an actor-controlled server and awaits further commands while also adopting obfuscation methods like control flow flattening to resist analysis.

Also used is a purpose-built PowerShell runner named POWERSEAL that's equipped to run supplied PowerShell scripts or commands.

REF2754 is said to share tactical commonalities with another group dubbed REF4322, which is known to primarily target Vietnamese entities to deploy a post-exploitation implant referred to as PHOREAL. The connections have raised the possibility that "Both REF4322 and REF2754 activity groups represent campaigns planned and executed by a Vietnamese state-affiliated threat."

News URL

https://thehackernews.com/2023/06/new-spectralviper-backdoor-targeting.html

#backdoor #vietnamese