Elastic charms SPECTRALVIPER — Elastic Security Labs

Elastic Security Labs details the REF2754 intrusion set, introducing SPECTRALVIPER, P8LOADER, and POWERSEAL and describing how they’re used together to load PE files, impersonate tokens, exfiltrate data, and perform file system manipulation. The research attributes the campaign to a Vietnamese state-affiliated threat and links it to Canvas Cyclone/APT32/OceanLotus. #SPECTRALVIPER #REF2754 #P8LOADER #POWERSEAL #APT32 #CanvasCyclone #OceanLotus #Vietnam

Keypoints

The REF2754 intrusion set leverages multiple PE loaders, backdoors, and PowerShell runners.
SPECTRALVIPER is a heavily obfuscated, x64 backdoor that enables PE loading/injection, file upload/download, file/directory manipulation, and token impersonation.
Attribution ties the activity to a Vietnamese-based intrusion set aligned with Canvas Cyclone/APT32/OceanLotus.
The execution flow includes using a renamed ProcDump loader to inject dbg.config into sessionmsg.exe and deploy SPECTRALVIPER followed by P8LOADER or POWERSEAL.
SPECTRALVIPER operates in HTTP or pipe (named pipe) C2 modes, with AES encryption and DH/RSA key exchanges to secure communications.
P8LOADER is a PE loader that can load from file or memory, injects into its own process, and can hook API calls for logging via a pipe.
POWERSEAL is a lightweight PowerShell runner that bypasses AMSI/ETW and launches supplied PowerShell scripts or commands.

MITRE Techniques

[T1055] Process Injection – SPECTRALVIPER can load and inject executable files, supporting both x86 and x64 architectures. “SPECTRALVIPER can load and inject executable files, supporting both x86 and x64 architectures.”
[T1134] Access Token Manipulation – The malware possesses the ability to impersonate security tokens, granting elevated privileges. “The malware possesses the ability to impersonate security tokens, granting it elevated privileges…”
[T1105] Ingress Tool Transfer – The malware downloads and uploads files to and from the compromised system. “File downloading/uploading: SPECTRALVIPER can download and upload files to and from the compromised system.”
[T1036] Masquerading – The unsigned dbg.config DLL and DLL exports imitate legitimate assets to hide its presence, including disguising as a Windows component. “The unsigned DLL (dbg.config) contained DONUTLOADER… The DLL was renamed/masqueraded…”
[T1059.001] PowerShell – POWERSEAL uses PowerShell to execute scripts/commands supplied by the threat actor. “POWERSEAL’s primary function is to execute PowerShell…”
[T1071.001] Web Protocols – HTTP C2 beacons and communications are used by SPECTRALVIPER in HTTP mode. “In HTTP mode, the malware will beacon to its C2 every n seconds…”
[T1027] Obfuscated/Compressed Files and Information – The malware uses multi-level obfuscation and AES decryption for strings and data. “The binary code is heavily obfuscated…”

Indicators of Compromise

[Hash] 56d2d05988b6c23232b013b38c49b7a9143c6649d81321e542d19ae46f4a4204 – Domain/FILE context: SPECTRALVIPER observable related to samples listed in the research
[Hash] d1c32176b46ce171dbce46493eb3c5312db134b0a3cfa266071555c704e6cff8 – 1.dll related observable
[Hash] 7e35ba39c2c77775b0394712f89679308d1a4577b6e5d0387835ac6c06e556cb – asdgb.exe sample
[Hash] 4e3a88cf00e0b4718e7317a37297a185ff35003192e5832f5cf3020c4fc45966 – Settings.db / SPECTRALVIPER relation
[Hash] 7b5e56443812eed76a94077763c46949d1e49cd7de79cde029f1984e0d970644 – MicrosoftEdge package related to SPECTRALVIPER
[Hash] 5191fe222010ba7eb589e2ff8771c3a75ea7c7ffc00f0ba3f7d716f12010dd96 – UpdateConfig.json
[Hash] 4775fc861bc2685ff5ca43535ec346495549a69891f2bf45b1fcd85a0c1f57f7 – Microsoft.OneDriveUpdatePackage.mca
[Hash] 2482c7ececb23225e090af08feabc8dec8d23fe993306cb1a1f84142b051b621 – ms-certificates.sst
[Domain] stablewindowsapp[.]com – C2 domain
[Domain] webmanufacturers[.]com – C2 domain
[Domain] toppaperservices[.]com – C2 domain
[Domain] hosting-wordpress-services[.]com – C2 domain
[Domain] appointmentmedia[.]com – C2 domain