Home SECURITY REF2924 group uses Microsoft Exchange to deploy backdoors

REF2924 group uses Microsoft Exchange to deploy backdoors

REF2924 group uses Microsoft Exchange to deploy backdoors


REF2924 group uses Microsoft Exchange to deploy backdoors

NAPLISTENER masquerades as msdtc.exe and bypasses detection tools.

Security researchers from Elastic Security Labs found that the REF2924 faction has moved from spying to permanent access inside targeted networks. Recently, hackers have added a new backdoor called NAPLISTENER to their arsenal.

According to report Elastic Security Labs, REF2924 targets sites in South and Southeast Asia with NAPLISTENER.

NAPLISTENER (Wmdtc[.]exe) is a C#-based backdoor that impersonates the Microsoft Distributed Transaction Coordinator (msdtc[.]exe) to avoid detection and establish network persistence.

Backdoor creates a listener HTTP-requests (Listener) to accept and process incoming requests and filters malicious commands so they can be mixed with legitimate web traffic. In addition, NAPLISTENER reads the sent data, decodes it and runs it in memory.

Analysis of the NAPLISTENER source code, in particular the identical debug lines and logic implementation, indicates that REF2924 cybercriminals borrowed codes from a GitHub project called SharpMemshell .

Along with NAPLISTENER, the band has used several additional tools during their recent campaigns. Attackers attack Internet-accessible Microsoft Exchange servers to deploy several backdoors – SIESTAGRAPH, DOORME and shadowpad.

  • DOORMEis a backdoor module based on the IIS suite that allows attackers to remotely access the target network and deploy more malware;
  • SIESTAGRAPHabuses the Microsoft Graph API to communicate with the C2 server via Outlook and OneDrive. The backdoor is capable of uploading and downloading files to and from OneDrive, as well as executing arbitrary commands through the command line;
  • shadowpad is the successor Plug Xwhich allows hackers to install persistence, run shell scripts on infected machines, and deploy additional payloads as needed.

The use of open source GitHub projects and legitimate online artifacts indicate that REF2924 plans to move towards system persistence and security evasion. Such attacks can be detected by implementing EDR– a system for detecting and studying malicious activity at endpoints.


Source link



Please enter your comment!
Please enter your name here