New spectralviper backdoor used in an attack against vietnamese public companies

A new backdoor named Spectralviper has been used in an attack on Vietnamese public companies. Elastic Security Labs has discovered that it is a previously unknown, highly obscured 64-bit backdoor that provides PE upload and injection, file upload and download, file and directory manipulation, and the capabilities to impersonate in the token. The attack has been attributed to an actor known as Ref2754, which appears to be associated with the Vietnamese threat group Apt32. The attack campaign appears to be aimed primarily at Vietnamese public companies. Elastic Security Labs also detected other malware such as P8loader or Powerseal, used for loading Spectralviper. The attack technique used involves using a SysInternals ProcDump usage to load an unsigned dll file containing Donutloader, which in turn is configured to load Spectralviper and other malware such as P8loader or Powerseal.

The Spectralviper backdoor

Spectralviper is designed to contact a server controlled by the threat actor and wait for further commands, using obfuscation techniques such as flow control to resist scrutiny. P8loader, written in C++, is capable of launching arbitrary payloads from a file or from memory. In addition, a specially designed PowerShell runner called Powerseal is used, which has the ability to run scripts or PowerShell commands provided. Meta, in December 2020, linked the hacker group's activities to a cybersecurity firm called CyberOne Group. However, the connection between Ref2754 and CyberOne Group has not yet been confirmed. Those connections raised the possibility that "both the Ref4322 and Ref2754 task group represent campaigns planned and executed by a threat associated with the Vietnamese state."

Ref2754 and Ref4322: a possible threat associated with the vietnamese state

Ref2754 and Ref4322 appear to share many commonalities, such as focusing on Vietnamese targets and using a backdoor as the primary tool for their attack. Ref4322 has the distinction of using a post-execution rig known as Phoreal (or Rizzo), which suggests that both groups may actually be campaigns planned and executed by a threat associated with the Vietnamese state. However, at the time of writing, there is no definitive evidence to confirm this theory.

The use of open source projects in the Spomnirecord malware

The attack group named Ref2924 has been associated with another type of malware called Somnirecord which uses DNS queries to communicate with a remote server, bypassing network security checks. Somnirecord and Naplistener use open source projects to enhance their capabilities. This technique allows them to retrieve information about the infected machine, list all running processes, deploy a web shell, and launch any executables already on the system. The use of open source projects indicates that attackers are taking steps to tailor existing tools to their specific needs and may be attempting to prevent attribution for attacks.