REF2924, a threat group responsible for attacks on entities in South and Southeast Asia, has been observed deploying a previously unseen malware called NAPLISTENER. This malware is programmed in C# and is designed to evade network-based detection. REF2924 is linked to ChamelGang, another hacking group that has exploited internet-exposed Microsoft Exchange servers to deploy backdoors. These backdoors include DOORME, SIESTAGRAPH, and ShadowPad, which are used to provide remote access, command-and-control, and maintain persistent access to compromised computers. The use of ShadowPad is notable as it suggests a potential link to China-based hacking groups. REF2924’s expanding malware arsenal includes NAPLISTENER, which masquerades as a legitimate service to establish persistent access. The group has also been found to borrow or repurpose code from open source projects hosted on GitHub to develop its own tools, indicating that they may be actively honing a variety of cyber weapons. A Vietnamese organization was targeted in late December 2022 by a previously unknown Windows backdoor called PIPEDANCE, which facilitated post-compromise and lateral movement activities, including deploying Cobalt Strike.
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net
Source: The Hacker News