Cybersecurity experts from Elastic Security Labs discovered a new malware campaign targeting public organizations in Vietnam. The attackers use the previously unknown SPECTRALVIPER backdoor, which has a wide range of capabilities to control infected systems.

According to the researchers, SPECTRALVIPER is a new heavily obfuscated 64-bit backdoor that provides download and injection PE-files, exchange and manipulation of files and directories, as well as imitation of tokens.

The attacks are attributed to an actor codenamed REF2754, which overlaps with the Vietnamese hacker group APT32, also known as Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. And in December 2020, the company Facebook * even linked the activities of this group with the legitimate Vietnamese IT company CyberOne Group.

In the latest infection scenario discovered by Elastic Security Labs researchers, the attackers used the SysInternals ProcDump to load an unsigned DLL containing DONUTLOADER. This loader is configured to launch SPECTRALVIPER and other malware such as P8LOADER or POWERSEAL.

SPECTRALVIPER is designed to communicate with the attackers’ C2 server and wait for further commands. In doing so, it applies obfuscation techniques such as control flow smoothing to resist analysis.

P8LOADER, written in C++, is capable of launching arbitrary payloads from a file or directly from memory. Also uses a special launcher PowerShell called POWERSEAL, which is equipped to run the provided scripts or PowerShell commands.

Experts point out that REF2754 shares tactical similarities with another group codenamed REF4322, which mainly targets Vietnamese facilities to deploy a post-operational implant called PHOREAL (aka Rizzo).

This raises the possibility that both groups REF4322 and REF2754 are operations planned and carried out with the support of the Vietnamese state.

In addition, the group, codenamed REF2924, has been associated with another piece of malware called SOMNIRECORD, which uses DNS queries to contact a remote server and bypass network security mechanisms.

SOMNIRECORD, like NAPLISTENER, uses existing open source projects to improve its capabilities, allowing the malware to obtain extensive information about the infected machine, list all running processes, deploy a web shell, and run any executable file already present on the system.

“The use of open source projects by attackers indicates that they are taking steps to customize existing tools for their specific needs, as well as to try to counter potential malware detection and analysis,” Elastic said in the report.

* The Meta company and its products (Instagram and Facebook) are recognized as extremist, their activities are prohibited on the territory of the Russian Federation.