Vietnamese public companies have been facing a targeted attack from a sophisticated group of hackers known as REF2754. This group of malicious actors, which is also known as APT32, Canvas Cyclone, Cobalt Kitty, and OceanLotus, has been identified as having links to a cybersecurity firm called CyberOne Group. The attack includes the use of a novel backdoor called SPECTRALVIPER, which is heavily obfuscated and has until now been unknown to the cybersecurity community. According to a Friday report by Elastic Security Labs, SPECTRALVIPER is a x64 backdoor that allows for a variety of malicious activities, including PE loading and injection, file upload and download, file and directory manipulation, and token impersonation. It is designed to contact an attacker-controlled server and awaits further commands while also using obfuscation techniques to resist analysis. In order to deploy SPECTRALVIPER, the hackers use SysInternals ProcDump utility to load an unsigned DLL file that contains DONUTLOADER. This, in turn, is configured to load SPECTRALVIPER as well as other malware such as P8LOADER and POWERSEAL. The former is written in C++ and is capable of launching arbitrary payloads from a file or from memory, while the latter is a purpose-built PowerShell runner that's designed to run PowerShell scripts or commands. The tactics used by REF2754 are similar to those of another threat group known as REF4322. This group has been targeting Vietnamese entities to deploy a post-exploitation implant called PHOREAL, also known as Rizzo. The Vietnam Cybersecurity Association has issued a warning to all Vietnamese public companies to be on the lookout for this threat, and to take precautions to protect their systems from malicious actors. Companies should ensure their systems are up to date with the latest security patches, and that they have a robust anti-virus and anti-malware solution in place. Additionally, they should monitor their network activity closely to detect suspicious behavior, and take steps to secure access to sensitive data. Companies should also consider engaging a cybersecurity expert to audit their security posture and provide recommendations for further security measures. It is clear that the threat posed by REF2754 is sophisticated and evolving. Companies must remain vigilant and take all necessary steps to protect their systems. The Vietnam Cybersecurity Association is committed to helping companies stay ahead of the threat, and will continue to provide helpful advice and information on how to protect against malicious cyber attacks.
top of page
bottom of page