Highlights:

  • NAPLISTENER and SOMNIRECORD are noteworthy, according to the researchers, because they both depend on open-source code projects to provide some or all of their capabilities.
  • The attack strategies currently employed against targets will still be used, according to the researchers’ prediction, which they made with a moderate degree of confidence.

A previously little-known attack group from Southeast Asia has been actively pursuing businesses all over the globe to steal data using new malware forms.

According to researchers at Elastic Security Labs, the security research division of Elastic Inc., the organization is known as “REF2924” and is well-known for the malware it has produced. Wmdtc.exe, also known as “NAPLISTENER,” was the first executable known to contain new malware when it was first discovered in January. In February, favUpdate.exe, also known as “SOMNIRECORD,” was discovered to contain new form of malware.

A naming convention close to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service is used to install Wmdtc.exe as a Windows Service. The malware’s HTTP listener was coded in C#, hence the name NAPLISTENER. KavUpdate.exe, also known as SOMNIRECORD, is a straightforward loader program developed in.NET.

NAPLISTENER and SOMNIRECORD are noteworthy, according to the researchers, because they both depend on open-source code projects to provide some or all of their capabilities. This conceals the adversary and their capabilities while reducing the effort required to create capabilities. Both were also discovered to use legal and expected network protocols to avoid network-based forms of detection: NAPLISTENER uses HTTP and SOMNIRECORD uses DNS.

Only NAPLISTENER and SOMNIRECORD have been seen by Elastic Security Labs in conjunction with SIESTAGRAPH, which also tried to hide from detection by acting genuine. In settings where network-based visibility is strongly favored over endpoint-based detection methods, SIESTAGRAPH, NAPLISTENER, and SOMINRECORD have been implemented. According to the researchers, the adversary is moderately to highly knowledgeable about regional security measures.

The researchers also discovered that REF2924 used webshells, which are backdoors created in web-based languages and displayed using the web server, in addition to these two novel techniques for malware persistence. Code resemblance suggests that these webshells also took code from open-source projects and used it in new ways, even though this is a common tactic used by threat actors.

Eviction attempts by targeted organizations led to the development and subsequent implementation of SOMNIRECORD, which caused the threat priorities to shift from data theft to contingency planning.

According to the researchers, the attack strategies currently employed against targets will continue to be used. These include webshells, in-line malicious proxy relays, and malicious IIS components.