A previously little-documented attack group based in Southeast Asia has been actively targeting companies worldwide to steal data using new forms of malware.

Tracked as “REF2924” by researchers at Elastic Security Labs, the security research arm of Elastic Inc., the group is notable for the malware it has created, the researchers said today. The first new malware detected was an executable named Wmdtc.exe, dubbed “NAPLISTENER,” in January, followed by another new form of malware with the filename favUpdate.exe, dubbed “SOMNIRECORD,” in February.

Wmdtc.exe is installed as a Windows Service using a naming convention similar to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service. The name NAPLISTENER comes from the malware having an HTTP listener written in C#. KavUpdate.exe, or SOMNIRECORD, is written in .NET and operates as a simple loader.

The researchers explain that both NAPLISTENER and SOMNIRECORD are noteworthy because both rely on open-source code projects to provide some or all capabilities, which obscures the adversary and their capabilities while decreasing the effort to develop capabilities. Both were also found to leverage legitimate and expected network protocols: NAPLISTENER uses HTTP and SOMNIRECORD uses DNS to evade network-based forms of detection.

Elastic Security Labs has only observed NAPLISTENER and SOMNIRECORD in conjunction with SIESTAGRAPH, which also attempted to evade detection by masquerading as legitimate. SIESTAGRAPH, NAPLISTENER and SOMINRECORD have been deployed in environments where endpoint-based forms of detection are uncommon and network-based visibility is heavily relied upon. The researchers suggest that the adversary has a moderate to high degree of familiarity with regional security postures.

The researchers also found that in addition to these two new methods of malware persistence, REF2924 deployed webshells, which are backdoors written in web-based languages and rendered using the web server. Code similarity indicates these the webshells also borrowed or repurposed code from open-source projects, though this is considered a conventional approach for many threat actors.

The evolution and subsequent deployment of SOMNIRECORD, is a result of eviction attempts by targeted organizations, resulting in a shift of threat priorities from data theft to contingency planning.

The researchers forecast with moderate confidence that the attack methods used will continue to be deployed against targets through the mechanisms observed to date. These include malicious IIS modules, in-line malicious proxy relays and webshells.

Image: Pxhere