Vietnamese public companies are facing an ongoing targeted campaign involving the SPECTRALVIPER backdoor. This backdoor, previously undisclosed and in the x64 variant, offers a range of capabilities such as manipulating files, impersonating tokens, and loading PE files. Elastic Security Labs has identified these attacks as the work of REF2754, a threat actor associated with the Vietnamese APT32 group, also known as Canvas Cyclone, Cobalt Kitty, and OceanLotus.
In the latest attack chain, SysInternals ProcDump utility is utilised to load an unsigned DLL file containing DONUTLOADER, which then loads SPECTRALVIPER and other malware.
SPECTRALVIPER establishes communication with a server controlled by the threat actor to receive commands and employs obfuscation techniques to evade analysis. Additional malware involved in these attacks includes P8LOADER, capable of launching arbitrary payloads from files or memory, and a PowerShell runner named POWERSEAL, which executes provided PowerShell scripts or commands.
REF2754 exhibits tactical similarities to another group known as REF4322, which has targeted Vietnamese entities using the PHOREAL implant. These connections suggest a high likelihood of state-affiliated threats originating from Vietnam.
Meanwhile, Check Point Research has discovered a cyberespionage campaign targeting Libyan organizations, employing a customized backdoor named Stealth Soldier. This malware possesses advanced surveillance capabilities and is believed to be linked to a threat actor known as "The Eye on the Nile."
In the realm of Linux malware, the BPFDoor has received updates to enhance its stealth capabilities, including stronger encryption and improved reverse shell communications. Notably, the latest version of BPFDoor has not been detected as malicious by any currently available antivirus engines for the platform.
SPECTRALVIPER can be compiled as either an executable or DLL to mimic known binary exports. The malware leverages encrypted communication channels (HTTP and named pipe) with AES encryption and either Diffie-Hellman or RSA1024 key exchange. All samples of SPECTRALVIPER undergo heavy obfuscation using the same obfuscator, with varying levels of hardening, making analysis challenging.