BTC $70823.7516
ETH $3531.0259
BNB $621.2790
SOL $172.6448
stETH $3527.9907
XRP $0.6083
DOGE $0.1997
TON $7.2456
ADA $0.5853
AVAX $46.2175
wstETH $4100.4456
DOT $8.4402
BCH $607.1354
WETH $3536.6758
WBTC $70909.4458
TRX $0.1219
LINK $17.6560
MATIC $0.8809
UNI $9.0821
ICP $15.6959
LTC $97.8636
CAKE $3.7041
DAI $0.9996
IMX $2.5675
ETC $33.6641
RNDR $9.1096
FIL $8.1342
STX $2.9994
MNT $1.2895
NEAR $6.8343
TAO $615.5692
VET $0.0503
ATOM $10.8915
HBAR $0.0996
OKB $56.9032
FDUSD $1.0028
WIF $3.3890
KAS $0.1440
MKR $3344.9389
PEPE $0.0000
GRT $0.3114
THETA $2.8807
INJ $31.7467
FET $2.5067
XLM $0.1297
XMR $134.0517
USDE $1.0001
BTC $70823.7516
ETH $3531.0259
BNB $621.2790
SOL $172.6448
stETH $3527.9907
XRP $0.6083
DOGE $0.1997
TON $7.2456
ADA $0.5853
AVAX $46.2175
wstETH $4100.4456
DOT $8.4402
BCH $607.1354
WETH $3536.6758
WBTC $70909.4458
TRX $0.1219
LINK $17.6560
MATIC $0.8809
UNI $9.0821
ICP $15.6959
LTC $97.8636
CAKE $3.7041
DAI $0.9996
IMX $2.5675
ETC $33.6641
RNDR $9.1096
FIL $8.1342
STX $2.9994
MNT $1.2895
NEAR $6.8343
TAO $615.5692
VET $0.0503
ATOM $10.8915
HBAR $0.0996
OKB $56.9032
FDUSD $1.0028
WIF $3.3890
KAS $0.1440
MKR $3344.9389
PEPE $0.0000
GRT $0.3114
THETA $2.8807
INJ $31.7467
FET $2.5067
XLM $0.1297
XMR $134.0517
USDE $1.0001
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • REF2924 hackers change tactics and move to permanent access to the network

    Security researchers from Elastic Security Labs found that the REF2924 faction has moved from spying to permanent access inside targeted networks. Recently, hackers have added a new backdoor called NAPLISTENER to their arsenal.

    According to a report from Elastic Security Labs, REF2924 targets sites in South and Southeast Asia with NAPLISTENER.

    NAPLISTENER (Wmdtc[.]exe) is a C#-based backdoor that impersonates the Microsoft Distributed Transaction Coordinator (msdtc[.]exe) to evade detection and establish network persistence.

    The backdoor creates an HTTP request listener to accept and process incoming requests and filters malicious commands so that they can be mixed with legitimate web traffic. In addition, NAPLISTENER reads the sent data, decodes it and runs it in memory.

    Analysis of the NAPLISTENER source code, in particular the identical debug lines and logic implementation, indicates that REF2924 cybercriminals borrowed codes from a GitHub project called SharpMemshell.

    Along with NAPLISTENER, the band has used several additional tools during their recent campaigns. Attackers attack Internet-accessible Microsoft Exchange servers to deploy several backdoors - SIESTAGRAPH, DOORME and ShadowPad.

    • DOORME is an IIS suite-based backdoor module that allows attackers to remotely access the target network and deploy more malware;
    • SIESTAGRAPH abuses Microsoft Graph API to communicate with C2 server via Outlook and OneDrive. The backdoor is capable of uploading and downloading files to and from OneDrive, as well as executing arbitrary commands through the command line;
    • ShadowPad is a successor to PlugX that allows hackers to install persistence, run shell scripts on infected machines, and deploy additional payloads as needed.

    The use of open source GitHub projects and legitimate online artifacts indicate that REF2924 plans to move towards system persistence and security evasion. Such attacks can be detected by implementing an EDR system to detect and study malicious activity on endpoints.

    Author DeepWeb
    New cryptostealer Rilide shamelessly robs users of Chromium browsers
    Critical vulnerability in ChatGPT allows hackers to take over someone else's account

    Comments 0

    Add comment