• Mon. Oct 16th, 2023

SPECTRALVIPER Unleashed: Vietnamese Hackers Strike, Dealing a Devastating Blow to Local Companies

Avatar photo

ByEsme Greene

Jul 3, 2023
SPECTRALVIPER Devastates Vietnamese Firms
Esme Greene
Latest posts by Esme Greene (see all)

Elastic Security Labs, a team of cybersecurity experts, has made a significant discovery uncovering a new malicious campaign that specifically targets public organizations in Vietnam. This campaign utilizes a previously unknown backdoor named SPECTRALVIPER, which grants the attackers extensive control over compromised systems.

Unveiling the Complex SPECTRALVIPER Backdoor and its Connections to APT32 in Vietnam

In-depth research reveals that SPECTRALVIPER is a highly complex and obfuscated 64-bit backdoor with a wide array of capabilities. These include the ability to download and inject PE files, manipulate and share files and directories, as well as emulate tokens for unauthorized access.

The attacks have been attributed to a threat actor known as REF2754, believed to have connections with the notorious Vietnamese hacker group APT32, which operates under various aliases like Canvas Cyclone, Bismuth, Cobalt Kitty, and OceanLotus. Notably, in December 2020, Facebook linked the group’s activities to a legitimate Vietnamese IT company called CyberOne Group.

Elastic Security Labs researchers recently uncovered an infection scenario in which attackers employed the SysInternals ProcDump utility to download an unsigned DLL file containing the DONUTLOADER. This loader is specifically configured to execute SPECTRALVIPER along with other malware like P8LOADER or POWERSEAL.

SPECTRALVIPER is designed to establish communication with the attacker’s command and control (C2) server, awaiting further instructions. To evade analysis, the backdoor utilizes obfuscation techniques, such as control flow smoothing, making it challenging to detect and analyze.

The C++-based P8LOADER is capable of executing arbitrary payloads from files or directly from memory. Additionally, it employs a specialized PowerShell Launcher known as POWERSEAL, enabling it to run provided PowerShell scripts or commands.

Security experts have observed tactical similarities between REF2754 and another threat group known as REF4322, which primarily focuses on Vietnamese targets for deploying a post-exploitation implant called PHOREAL (also known as Rizzo).

These similarities raise the possibility that both REF4322 and REF2754 are state-supported operations carried out with the backing of the Vietnamese government.

Another group known as REF2924 has been associated with a different malware variant called SOMNIRECORD. This particular malware leverages DNS queries to establish communication with a remote server, bypassing network security mechanisms in the process.

Similar to NAPLISTENER, SOMNIRECORD leverages existing open-source projects to enhance its capabilities. This allows the malware to gather extensive information about the infected machine, list all running processes, deploy a web shell, and execute any existing executable files present on the compromised system.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.