Threat Actor Uses Merdoor Backdoor to Hit Asian OrgsLancefly APT Group Targets Southeast Asia Organizations With Custom-Written Malware
A threat actor is using a custom-made backdoor to target organizations operating in South and Southeast Asia. Sectors at immediate risk include government, aviation, education and telecommunications.
The Lancefly ATP group uses custom-written malware dubbed Merdoor by researchers at Symantec's Threat Hunter Team.
"The motivation behind previous campaigns is believed to be intelligence gathering," the researchers said.
Attackers in the latest campaign have access to an updated version of the ZXShell rootkit, capable of disabling additional antivirus software.
Merdoor's functionality includes keylogging and using various methods to communicate with its command-and-control server, and it is capable of listening on a local port for commands.
Researchers found that instances of the Merdoor backdoor are identical except for its communication method with the C2 server, service details and the installation directory. They said the backdoor typically runs its code into the legitimate Windows processes
The Merdoor dropper is also a self-extracting archive that contains three files: a signed binary vulnerable to DLL search-order hijacking, a malicious loader known as Merdoor loader, and an encrypted file containing final payload, which is the Merdoor backdoor.
When executed, the dropper extracts embedded files and runs a legitimate binary to load the Merdoor loader. The researchers saw the dropper using older versions of five different legitimate applications for DLL sideloading, including McAfee SiteAdvisor, Sophos SafeStore Restore, Google Chrome Frame, Avast wsc_proxy and Norton Identity Safe.
The ZXShell rootkit used by Lancefly is signed by the certificate "Wemade Entertainment Co. Ltd," previously associated with APT41, also known as BlackFly.
"It is known that Chinese APT groups, such as APT41, often share certificates with other APT groups. The ZXShell backdoor has also previously been used by the HiddenLynx/APT17 group, but as the source code of ZXShell is now publicly available this does not provide a definitive link between these two groups," the researchers said.