PHOREAL malware targets the Southeast Asian financial sector

Elastic Security discovered PHOREAL malware, which is targeting Southeast Asia financial organizations, particularly those in the Vietnamese financial sector. Given the continuous pace of malware development, it's no surprise that adversarial groups will leverage successful campaigns as the basis of developing future attacks, and the recently discovered backdoor campaign targeting Vietnamese financial services is no exception.

The Elastic Security research team recently observed a new method for the PHOREAL/RIZZO payload being loaded into memory as an evasion tactic by adversaries. Given this new technique from this malware, we are tracking this activity group as REF4322.

See the detailed outline of the malware payload in our long-form security research post.

APT32 & PHOREAL/RIZZO

Since 2014, APT32 has been active in targeting multiple private sector industries alongside governments and institutions, with a focus on Southeast Asia. MITRE outlines substantial details around the threat group, detailing common tactics and techniques.

PHOREAL/RIZZO is a backdoor allowing initial victim characterization and follow-on, post-exploitation operations to compromise the confidentiality of organizations’ data. It has been reported in other research as being used exclusively by APT32 (a.k.a. SeaLotus, OceanLotus, APT-C-00, G0050).

Elastic Security response

The Elastic Security research team identified this payload when investigating a specific cluster of Windows memory protection shellcode alerts. The alerts had unique properties attributed to a specific Microsoft signed target process.

Generally, when we observe false positives for the shellcode protections, it is identified across a broad user base, and in many cases, attributed to various gaming anti-cheat or Digital Rights Management (DRM) mechanisms. In this case, a single cluster and a Microsoft signed target process was atypical of a false positive.

The research culminated in the successful development of signatures for Elastic Security customers, alongside detailed defensive recommendations for those impacted.

Further reading & resources

To learn more, review the detailed summary the Elastic Security team performed on the REF4322 payload, and steps for recovery, detection and mitigation.

Existing Elastic Security can access these capabilities within the product. If you’re new to Elastic Security, take a look at our Quick Start guides (bite-sized training videos to get you started quickly) or our free fundamentals training courses. You can always get started with a free 14-day trial of Elastic Cloud. Or download the self-managed version of the Elastic Stack for free.