{ "id": "71228441-1c0d-443d-bde7-9b6e1b654d47", "created_at": "2026-04-06T00:07:26.25171Z", "updated_at": "2026-04-10T03:37:26.372946Z", "deleted_at": null, "sha1_hash": "44c870d0591fc649a5698d933b0bbabf116397ec", "title": "REF2924: how to maintain persistence as an (advanced?) threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 264826, "plain_text": "REF2924: how to maintain persistence as an (advanced?) threat\r\nBy Remco Sprooten\r\nPublished: 2023-03-27 · Archived: 2026-04-05 19:05:11 UTC\r\nPreamble\r\nIn recent months, there has been a noticeable shift in the nature of the incidents being tracked under REF2924.\r\nInitially, the attacker employed custom, purpose-built malware. As the attack evolved, we observed the same\r\ngroup resorting to the use of open source tools or publicly available source code as a basis for developing new\r\ncapabilities.\r\nKey takeaways\r\nThe attacker has shifted from using custom malware to open source tools or publicly available source code\r\nto develop new capabilities.\r\nThe attacker has also deployed open source tools like TFirewall and AdFind in the victim's\r\nenvironment.\r\nIn order to maintain persistence the attacker has deployed multiple different tools and techniques.\r\n.NET Webshell\r\nOn February 16th, 2023 Elastic Security Labs observed the Microsoft .NET compiler ( csc.exe ) being used to\r\ncompile a DLL file,. The output was identified by Elastic Defend as a malicious file. Analysts who may have\r\nobserved dynamic runtime compilation of .NET web shells should note that this was performed by the operator,\r\nnot automatically by the system.\r\nThe attacker uses the C# compiler to prepare a .NET webshell for use\r\nThe resulting output file was named App_Web_lgntop.aspx.ec688436.pkx46see.dll\r\n(a50ca8df4181918fe0636272f31e19815f1b97cce6d871e15e03b0ee0e3da17b) and was the subject of malware\r\nanalysis.\r\nAnalysis\r\nThe web shell requires a small amount of pre-configuration to ensure it listens for the correct URI. In this case the\r\npath will be \" ~/auth/Current/themes/resources/lgntop.aspx \".\r\nhttps://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat\r\nPage 1 of 5\n\nRegistering the URI\r\nThis path is expected on Microsoft Exchange Outlook Web Access (OWA) sites, so it was likely selected to blend\r\nin with the OWA service that is running on the target server. Once a web request is received it is processed by the\r\nfollowing method.\r\nRequest processing method.\r\nThis method checks if a specific HTTP header named XFF is present in the request headers. If it is present and its\r\nvalue, after passing through an MD5 hash function and a substring function, matches the string \"\r\n19267E61029B4546 \", then the method proceeds to execute the rest of the code. The string is likely used as an\r\nauthentication key to prevent others from using the webshell.\r\nWithin the if statement, the method reads the binary data from the request body using the BinaryRead method\r\nand stores it in a byte array. It then creates a string containing the fully qualified name of a .NET type that the code\r\nwants to load and gets a reference to that type using the Type.GetType method. The byte array in the image is the\r\nASCII code representation of the text “ System.Reflection.Assembly ”. This way of presenting the code is done\r\nin order to avoid string-based detection. The System.Reflection.Assembly class provides methods and\r\nproperties to load, examine, and manipulate assemblies at runtime.\r\nThe code obtains a reference to a method named Load in the loaded type and invokes it using the Invoke\r\nmethod. The Load method takes a byte array as a parameter, which the code decrypts using a Decrypt method\r\n(not shown in this publication). The result of the Load method invocation is stored in an object variable.\r\nThe code then gets a reference to another method named CreateInstance in the loaded type and invokes it using\r\nthe Invoke method. The CreateInstance method takes a string as a parameter, which the code constructs from\r\na byte array containing the ASCII codes for the string U. The result of the CreateInstance method invocation is\r\nstored in an object variable.\r\nFinally, the code calls the Equals method on the object, passing in the current object. Because Equals will call\r\nGetType on the object, this approach is a way to indirectly call functions covertly.\r\nThe Encrypt and Decrypt functions include a hard-coded key.\r\nhttps://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat\r\nPage 2 of 5\n\nThe Encrypt function\r\nSources\r\nThe key \" e45e329feb5d925b \" is the result of taking the first half of the MD5 hash of the string \"rebeyond\". The\r\nstring “rebeyond” refers to the developer of the Behinder web shell framework. This refers to the developer of the\r\nBehinder webshell framework. This key is also the default value when you generate a shell template using the\r\nBehinder or derivative Godzilla webshell frameworks.\r\nPersistence module\r\nOn February 13, 2023, we observed a new persistent malware called kavUpdate.exe written in .NET with an\r\nexceptionally small footprint (about 6Kb compiled). We believe this software was developed specifically for this\r\nenvironment by the threat. Elastic Security Labs observed this binary persisting via a Scheduled Task, though\r\nother mechanisms would likely be compatible.\r\nAnalysis\r\nThis code is designed with the sole purpose of executing a set of predefined commands. The malware checks the\r\ncurrent day and hour, and if it is Monday or Thursday at 5am, it will execute a series of commands:\r\n1. Delete the user 'norshasa'\r\n2. Add the user 'norshasa' with the password 'P@ssw0rd123...'\r\n3. Activate the user 'norshasa'\r\n4. Add the user 'norshasa' to the Domain Admins group\r\n5. Add the user 'norshasa' to the Remote Desktop Users group\r\n6. Create a full backup of NTDS in the C:\\ProgramData\\temp folder\r\n7. On the same days of the week, one hour later at 6am, delete the user 'norshasa.'\r\nOpen source tools\r\nOn January 2nd, 2023 the threat deployed TFirewall in the victim's environment. TFirewall is a testing tool\r\ndesigned to evaluate whether hosts can establish a SOCKS5 proxy within an intranet environment while allowing\r\nfor outbound network communication through specific ports. Developed using Golang, TFirewall is comprised of\r\na client and server component and is compatible with multiple operating systems.\r\nhttps://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat\r\nPage 3 of 5\n\nAlong with TFirewall, we observed that the attacker used the free tool AdFind. AdFind is a command line utility\r\nfor querying Active Directory and other directory services. AdFind can be run on Windows 7 or newer and\r\nrequires no special security permissions beyond the ability to launch executables. It’s written in C++ and compiled\r\nwith Visual Studio 2022. The source code is not available.\r\nThe binary is quickly identifiable based on its hash\r\n(114b37df703d46a44de0bc96afab8b8590e59a3c389558dd531298e5dd275acb). During execution, we recognized\r\nthe use of AdFind-specific command line flags and parameters:\r\nAdFind Parameters\r\nOn March 6th, 2023 we observed a process named nat.exe . Initially, the file was only identified as generically\r\nmalicious. However, if we take a closer look at the command line parameters that are used during execution, we\r\nhave a hint for which tool the attacker is using.\r\nCommandline parameters for nat.exe\r\nBased on these arguments, we can safely conclude it's a packed version of the Impacket tool secretsdump.\r\nImpacket contains a collection of Python classes for working with network protocols. Impacket is commonly used\r\nto carry out a variety of tasks related to network security and penetration testing, though it may also be abused by\r\nthreat actors.\r\nUsing the same approach (examining the command line parameters), we identified the use of the tool called\r\nNTDSDumpEx which exhibited the same command line arguments employed by this tool:\r\nCommandline arguments for NTDSDumpEx\r\nNTDSDumpEx is capable of extracting data from the Active Directory NTDS.dit database in its offline state,\r\nmeaning the database does not have to be running. It can extract information such as user accounts, group\r\nmemberships, access control lists, and other directory objects.\r\nBackground\r\nhttps://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat\r\nPage 4 of 5\n\nThroughout the attack we witnessed a combination of TTPs that provide a recognizable fingerprint. For example,\r\nthe way the attacker exported mailboxes is described in detail in this blog post. We also see a strong resemblance\r\nin the way credentials from LSASS are being exported, as described here. The majority of the commands and\r\ntools deployed by the attacker are well described on the same GitHub users’ tips repository.\r\nWe also note that the technique used to deploy NAPLISTENER is described here and the deployment method for\r\nmalicious IIS modules like DOORME can be found in this blog post. And lastly, a post on Godzilla and Behinder\r\nweb shells in exchange servers closely reflects how these capabilities were implemented within targeted\r\nenvironments.\r\nDuring malware analysis of the SIESTAGRAPH, NAPLISTENER, and SOMNIRECORD families, we also\r\nidentified open source repositories that minimally served as the inspiration for these payloads and which have\r\nbeen described in other publications from Elastic Security Labs.\r\nWe conclude that the attackers are at the very least regular consumers of blogs and open source repositories, both\r\nof which have contributed to the rapid pace of this threat’s activities.\r\nDetection logic\r\nThe following prebuilt protections are available from Elastic: - AdFind Command Activity\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the Behinder\r\nweb shell.\r\nrule Windows_Trojan_Behinder { meta: author = \"Elastic Security\" creation_date = \"2023-03-02\"\r\nlast_modified = \"2023-03-02\" description = \"Web shell found in REF2924, related to Behinder or\r\nGodzilla\" os = \"Windows\" arch = \"x86\" category_type = \"Trojan\" family = \"Behinder\" threat_name =\r\n\"Windows.Trojan.Behinder\" License = “Elastic License v2” reference_sample =\r\n\"a50ca8df4181918fe0636272f31e19815f1b97cce6d871e15e03b0ee0e3da17b\" strings: $load = { 53 79 73 74 65\r\n6D 2E 52 65 66 6C 65 63 74 69 6F 6E 2E 41 73 73 65 6D 62 6C 79 } $key = \"e45e329feb5d925b\" ascii wide\r\ncondition: all of them }\r\nSource: https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat\r\nhttps://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat" ], "report_names": [ "ref2924-howto-maintain-persistence-as-an-advanced-threat" ], "threat_actors": [ { "id": "dbee5a02-e2d6-49d2-9bb5-5a9e93fd1de9", "created_at": "2023-11-07T02:00:07.108976Z", "updated_at": "2026-04-10T02:00:03.411448Z", "deleted_at": null, "main_name": "REF2924", "aliases": [], "source_name": "MISPGALAXY:REF2924", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434046, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44c870d0591fc649a5698d933b0bbabf116397ec.pdf", "text": "https://archive.orkl.eu/44c870d0591fc649a5698d933b0bbabf116397ec.txt", "img": "https://archive.orkl.eu/44c870d0591fc649a5698d933b0bbabf116397ec.jpg" } }