NAPLISTENER Malware Linked to APT Known as REF2924, Targeting Systems to Comprimise

The group known as REF2924 has recently been detected using a new type of malware, which has been named NAPLISTENER by Elastic Security Labs.

The malware is an HTTP listener created using C# and is designed to evade detection measures that rely on network analysis. REF2924 has been linked to several attacks in South and Southeast Asia, including against an entity in Afghanistan and the Foreign Affairs Office of an ASEAN member in 2022. This group appears to have similarities with another hacking group called ChamelGang, which was documented by Positive Technologies in October 2021. REF2924's attacks have taken advantage of internet-exposed Microsoft Exchange servers, using backdoors such as DOORME, SIESTAGRAPH, and ShadowPad.

DOORME is an IIS backdoor module that provides remote access to a contested network and allows for the execution of additional malware and tools. SIESTAGRAPH employs Microsoft's Graph API for command-and-control, with the ability to run arbitrary commands and upload and download files. ShadowPad is a privately sold modular backdoor that enables persistent access to compromised computers and allows for the execution of shell commands and payloads.

It is interesting to note that the use of ShadowPad suggests a potential link to Chinese hacking groups, which have used this malware in various campaigns over the years. NAPLISTENER has now been added to REF2924's expanding arsenal of malware, and it disguises itself as a legitimate service in an effort to avoid detection and establish persistent access.

What Are APTs or Advanced Persistent Threat Actors?

APTs, or Advanced Persistent Threat actors, are highly skilled and well-funded groups of attackers who use sophisticated methods to gain unauthorized access to computer networks and systems for extended periods of time. Unlike traditional hackers who may carry out attacks for financial gain or notoriety, APT actors often have specific political or strategic objectives, such as stealing sensitive data, intellectual property, or confidential information.

APTs typically use a range of techniques to compromise systems, including social engineering, spear phishing, and malware attacks. Once they gain access, they use a variety of tactics to maintain a foothold on the network, such as installing backdoors, creating hidden user accounts, or exploiting vulnerabilities. They may also use a variety of advanced techniques to evade detection, such as fileless malware, encryption, or command and control (C2) infrastructure that is difficult to trace.

APTs are often associated with nation-state actors, although they can also be used by criminal organizations or other groups with significant resources and motivations. They can pose a significant threat to organizations, as they may be able to stay undetected for long periods of time, allowing them to steal valuable information or cause significant damage to systems. As such, it is important for organizations to be aware of the threat posed by APTs and to take steps to protect themselves against these types of attacks.