A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.

According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments. But Naplistener — along with other new types of malware used by the group —appear "designed to evade network-based forms of detection," says Jake King, Elastic Security's director of engineering.

So, don't sleep on that defense-in-depth strategy.

Researchers observed Naplistener in the form of a new executable that was created and installed on a victim network as a Windows Service on Jan. 20. Threat actors created the executable, Wmdtc.exe, using a naming convention similar to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service.

A Focus on Detection Evasion

Naplistener is the latest in a series of new types of custom malware that Elastic researchers have observed REF2924 using in its attacks that support a particular focus on evading network-based detection, King says. What these new malware families all have in common is not only that they are based on open source technologies but also that they use familiar and legitimate network assets to mask their activities.

"A consistent theme to all these capabilities is the intention to hide in legitimate and expected forms of network communication, and [they] are installed to resemble the underlying services they abuse," King notes.

While other threat groups also adopt these approaches with custom malware, they do so "less often, and less consistently" than REF2924, he notes, demonstrating that REF2924 is betting heavily on avoiding detection for success.

"A unique observation of this threat actor is in the deep focus of evasion tactics," King says. "While many threats masquerade in similar ways, this threat pursues the methodology to an extreme and consistently uses these methodologies."

Custom Malware at a Glance

In addition to Naplistener, which mimics the behavior of Web servers on a network to hide itself, REF2924 also is wielding custom malware that Elastic Security tracks as SiestaGraph and Somnirecord, among others. The former is notable for using Microsoft cloud resources for command and control to evade detection, and the latter masquerades as DNS protocol traffic, King says.

"Organizations in the observed regions of impact who rely strictly on network-based methods of detection will struggle to identify these malware families," he adds.

Specifically, Naplistener creates an HTTP request listener that can process incoming requests from the Internet, read any data that was submitted, decode it from Base64 format, and execute it in memory, the researchers said.

As mentioned, it evades victims' attempts at network-based detection by behaving similarly to Web servers, operating between legitimate Web users and resembling normal Web traffic. It does this all without generating Web server log events, the researchers said.

Naplistener also relies on code present in public repositories for a variety of purposes, and it appears that REF2924 may be developing additional prototypes and production-quality code from open sources, they added.

Going Beyond Network-Level Detection

Because REF2024 is so focused on avoiding network-based detection methods, enterprises in its crosshairs can avoid compromise by the group primarily by prioritizing endpoint-based detection technologies, more commonly known as endpoint detection and response (EDR), King says.

Indeed, while EDR is not a new security strategy for many organizations in the US, in the region of the world where the group is operating, it is still in early stages of adoption, he says. This exposes these organizations to risk from the custom malware that the group is deploying.

"Organizations which rely on network technologies to detect threats will face significant challenges, and those are compounded relative to the complexity of their networks," King says. "In short: The more connections and types of connections, the harder it is for organizations to monitor them effectively; this is relatively quickly addressed with another host-based form of visibility."

Another technology that organizations can deploy to combat malware that can evade network-based detection is egress filtering, or limiting the kinds of outbound network communications they permit, King says.

However, he adds, "this is not a particularly scalable approach once an organization reaches a significant size, due to the large number of egress points they manage and the diversity of legitimate communication methods."