BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • REF2924 hackers change tactics and move to permanent access to the network

    Security researchers from Elastic Security Labs found that the REF2924 faction has moved from spying to permanent access inside targeted networks. Recently, hackers have added a new backdoor called NAPLISTENER to their arsenal.

    According to a report from Elastic Security Labs, REF2924 targets sites in South and Southeast Asia with NAPLISTENER.

    NAPLISTENER (Wmdtc[.]exe) is a C#-based backdoor that impersonates the Microsoft Distributed Transaction Coordinator (msdtc[.]exe) to evade detection and establish network persistence.

    The backdoor creates an HTTP request listener to accept and process incoming requests and filters malicious commands so that they can be mixed with legitimate web traffic. In addition, NAPLISTENER reads the sent data, decodes it and runs it in memory.

    Analysis of the NAPLISTENER source code, in particular the identical debug lines and logic implementation, indicates that REF2924 cybercriminals borrowed codes from a GitHub project called SharpMemshell.

    Along with NAPLISTENER, the band has used several additional tools during their recent campaigns. Attackers attack Internet-accessible Microsoft Exchange servers to deploy several backdoors - SIESTAGRAPH, DOORME and ShadowPad.

    • DOORME is an IIS suite-based backdoor module that allows attackers to remotely access the target network and deploy more malware;
    • SIESTAGRAPH abuses Microsoft Graph API to communicate with C2 server via Outlook and OneDrive. The backdoor is capable of uploading and downloading files to and from OneDrive, as well as executing arbitrary commands through the command line;
    • ShadowPad is a successor to PlugX that allows hackers to install persistence, run shell scripts on infected machines, and deploy additional payloads as needed.

    The use of open source GitHub projects and legitimate online artifacts indicate that REF2924 plans to move towards system persistence and security evasion. Such attacks can be detected by implementing an EDR system to detect and study malicious activity on endpoints.

    Author DeepWeb
    New cryptostealer Rilide shamelessly robs users of Chromium browsers
    Critical vulnerability in ChatGPT allows hackers to take over someone else's account

    Comments 0

    Add comment