The advanced persistent danger (APT) group regarded as Lancefly has been observed deploying a custom-written backdoor in assaults concentrating on companies in South and Southeast Asia.
According to new knowledge from Symantec’s Risk Hunter Team, these campaigns have been ongoing for quite a few many years.
“Lancefly’s customized malware, which we have dubbed Merdoor, is a impressive backdoor that appears to have existed considering that 2018,” reads an advisory revealed by the company earlier these days.
“Symantec scientists noticed it remaining made use of in some activity in 2020 and 2021, as nicely as this a lot more recent marketing campaign, which continued into the initially quarter of 2023. The drive guiding both these strategies is believed to be intelligence gathering.”
Examine much more on teams focusing on intelligence collecting: Cranefly Hackers Use Stealthy Tactics to Deliver and Handle Malware
Symantec stated that over the years, the backdoor has only appeared on a couple of networks and machines, indicating really qualified utilization. The attackers in this marketing campaign would also be geared up with an up-to-date version of the ZXShell rootkit.
“The targets in this most current action, which started in mid-2022 and continued into 2023, are dependent in South and Southeast Asia, in sectors which include federal government, aviation, schooling, and telecoms,” Symantec extra.
The company clarified that the Merdoor backdoor was utilized in assaults focusing on victims in the govt, communications and technology sectors in the identical geographical locations in 2020 and 2021.
“Like this new action, that exercise also appeared to be hugely focused, with only a smaller range of machines contaminated.”
Technically, Merdoor disguises by itself as a reputable service and has keylogging capabilities. It can talk with its command-and-control (C2) server by numerous methods and listen for instructions on a nearby port.
The backdoor is commonly injected into authentic procedures and distributed through a self-extracting RAR dropper that contains a vulnerable binary, a malicious loader (Merdoor loader) and an encrypted file (Merdoor backdoor). Symantec also wrote that some dropper variants exploit more mature versions of legit purposes for DLL sideloading.
“While the Merdoor backdoor seems to have been in existence for quite a few several years, it appears to only have been utilised in a smaller selection of assaults in that time period of time,” reads the advisory. “This prudent use of the tool may reveal a need by Lancefly to maintain its exercise beneath the radar.”
Symantec’s discovery arrives a couple of months after danger researchers at EclecticIQ shed light on a new Dark Pink marketing campaign targeting authorities entities in ASEAN (Association of Southeast Asian Nations) countries.
Some parts of this article are sourced from:
www.infosecurity-journal.com