Go to listing page

SPECTRALVIPER Backdoor Focuses on Vietnamese Public Companies

SPECTRALVIPER Backdoor Focuses on Vietnamese Public Companies
Vietnamese public companies have been targeted by the SPECTRALVIPER backdoor in an ongoing campaign. The backdoor, a previously undisclosed x64 variant, offers various capabilities including file manipulation, token impersonation, and PE loading. Elastic Security Labs attributes these attacks to REF2754, an actor associated with the Vietnamese threat group APT32 (also known as Canvas Cyclone, Cobalt Kitty, and OceanLotus).

Diving into details

  • The latest infection chain involves the use of SysInternals ProcDump utility to load an unsigned DLL file containing DONUTLOADER, which then loads SPECTRALVIPER and other malware.
  • SPECTRALVIPER contacts an actor-controlled server for commands and uses obfuscation techniques to resist analysis.
  • Other malware used includes P8LOADER and a PowerShell runner called POWERSEAL. The former can launch arbitrary payloads from a file or from memory, while the latter runs provided PowerShell scripts or commands. 


Attribution

REF2754 shares tactical similarities with another group called REF4322, known for targeting Vietnamese entities with the PHOREAL implant.
The connections suggest the likelihood of it being a state-affiliated threat from Vietnam.

Latest backdoor threats

  • Check Point Research discovered a cyberespionage campaign targeting Libyan organizations using a customized backdoor called Stealth Soldier. The malware possesses advanced surveillance capabilities and is believed to be linked to a threat actor, "The Eye on the Nile."
  • The Linux malware BPFDoor has been updated with enhanced stealth capabilities, including more robust encryption and improved reverse shell communications. The latest version of BPFDoor has not been flagged as malicious by any available antivirus engines on the platform.

The bottom line

SPECTRALVIPER can be compiled as an executable or DLL to imitate known binary exports. The malware utilizes encrypted communication channels (HTTP and named pipe) with AES encryption and Diffie-Hellman or RSA1024 key exchange. All SPECTRALVIPER samples are heavily obfuscated using the same obfuscator with varying levels of hardening, thereby posing difficulty in analysis.
Cyware Publisher

Publisher

Cyware