The Lancefly APT group is using a custom powerful backdoor called Merdoor in attacks against organizations in South and Southeast Asia.
Symantec researchers reported that the Lancefly APT group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, as part of a long-running campaign.
The highly-targeted attacks aim at organizations in government, aviation, education, and telecom sectors. The intelligence-gathering campaign started in mid-2022 and is likely still ongoing.
“Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018.” reads the analysis published by Symantec. “Symantec researchers observed it being used in some activity in 2020 and 2021, as well as this more recent campaign, which continued into the first quarter of 2023. The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted.”
The threat actors have also employed an updated version of the ZXShell rootkit.
Merdoor is a fully-featured backdoor that supports multiple capabilities, including installing itself as a service, keylogging, a variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), and the ability to listen on a local port for commands.
The instances of the Merdoor backdoor analyzed by the researchers only differ for the embedded and encrypted configuration, which includes C2 communication method, service details, and the installation directory.
The experts reported that the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.
The Merdoor dropper spread as a self-extracting RAR (SFX) that contains three files, a legitimate and signed binary vulnerable to DLL search-order hijacking, a malicious loader (Merdoor loader), and an encrypted file (.pak) containing final payload (Merdoor backdoor).
The attack chain employed in 2020 started with a phishing email with a lure based on the 37th ASEAN Summit. In more recent attacks, the APT group likely used phishing lures, SSH brute-forcing, or the exploitation of exposed public-facing servers.
Lancefly APT used a multiple non-malware techniques for credential theft on victim machines, including:
- PowerShell was used to launch rundll32.exe in order to dump the memory of a process using the MiniDump function of comsvcs.dll. This technique is often used to dump LSASS memory.
- Reg.exe was used to dump the SAM and SYSTEM registry hives.
- A legitimate tool by Avast was installed by the attackers and used to dump LSASS memory
The group was spotted using a “masqueraded version” of WinRAR to stage and encrypt files before exfiltration.
Investigating possible links to other groups, the experts noticed that the ZXShell rootkit used by Lancefly APT group is signed by the certificate “Wemade Entertainment Co. Ltd”, which was used by the China-linked APT41 (aka Blackfly/Grayfly) group. The ZXShell backdoor has also previously been used by the HiddenLynx/APT17 group, but experts pointed out that the source code of ZXShell is now publicly available.
Lancefly was observed using both PlugX and ShadowPad backdoors, which were commonly associated with operations conducted by China-linked APT groups.
“The tools used and sectors targeted all point to the motivations of this attack campaign being intelligence gathering. The similarities between this recent activity and earlier activity by Lancefly indicate that the group perhaps did not realize the earlier activity had been discovered, so it was not concerned about links being made between the two.” concludes the report that also includes Indicators of Compromise (IOCs). “Whether or not the exposure of this activity will lead to any alteration in how the group carries out its activity remains to be seen.”
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, backdoor)
Share On
