"Custom 'Naplistener' Malware a Nightmare for Network-Based Detection"

A group tracked by Elastic Security Labs as REF2924 is using new data-stealing malware, a C#-written HTTP listener named Naplistener, in attacks against victims in southern and southeast Asia. According to Elastic's senior security research engineer Remco Sprooten, network-based detection and prevention technologies are the main method for securing environments in that part of the world. However, Naplistener and other new malware used by the group appear "designed to evade network-based forms of detection," according to Jake King, head of engineering at Elastic Security. On January 20, researchers detected Naplistener in the form of a new executable that was built and installed as a Windows Service on a victim network. Threat actors created the executable Wmdtc.exe with a naming convention similar to that of the official binary used by the Microsoft Distributed Transaction Coordinator service. This article continues to discuss researchers' findings and observations regarding Naplistener. 

Dark Reading reports "Custom 'Naplistener' Malware a Nightmare for Network-Based Detection"