Vietnamese Public Companies Targeted by SPECTRALVIPER Backdoor

 

Vietnamese public companies are facing an ongoing targeted campaign involving the SPECTRALVIPER backdoor. This backdoor, previously undisclosed and in the x64 variant, offers a range of capabilities such as manipulating files, impersonating tokens, and loading PE files. Elastic Security Labs has identified these attacks as the work of REF2754, a threat actor associated with the Vietnamese APT32 group, also known as Canvas Cyclone, Cobalt Kitty, and OceanLotus.
In the latest attack chain, SysInternals ProcDump utility is utilised to load an unsigned DLL file containing DONUTLOADER, which then loads SPECTRALVIPER and other malware. 
SPECTRALVIPER establishes communication with a server controlled by the threat actor to receive commands and employs obfuscation techniques to evade analysis. Additional malware involved in these attacks includes P8LOADER, capable of launching arbitrary payloads from files or memory, and a PowerShell runner named POWERSEAL, which executes provided PowerShell scripts or commands.
REF2754 exhibits tactical similarities to another group known as REF4322, which has targeted Vietnamese entities using the PHOREAL implant. These connections suggest a high likelihood of state-affiliated threats originating from Vietnam.
Meanwhile, Check Point Research has discovered a cyb

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: