The superior persistent risk (APT) group often called Lancefly has been noticed deploying a custom-written backdoor in assaults focusing on organizations in South and Southeast Asia.
In keeping with new knowledge from Symantec’s Menace Hunter Workforce, these campaigns have been ongoing for a number of years.
“Lancefly’s {custom} malware, which now we have dubbed Merdoor, is a strong backdoor that seems to have existed since 2018,” reads an advisory revealed by the corporate earlier right now.
“Symantec researchers noticed it being utilized in some exercise in 2020 and 2021, in addition to this newer marketing campaign, which continued into the primary quarter of 2023. The motivation behind each these campaigns is believed to be intelligence gathering.”
Symantec defined that through the years, the backdoor has solely appeared on a number of networks and machines, indicating extremely focused utilization. The attackers on this marketing campaign would even be geared up with an up to date model of the ZXShell rootkit.
“The targets on this most up-to-date exercise, which started in mid-2022 and continued into 2023, are based mostly in South and Southeast Asia, in sectors together with authorities, aviation, schooling, and telecoms,” Symantec added.
The corporate clarified that the Merdoor backdoor was utilized in assaults focusing on victims within the authorities, communications and expertise sectors in the identical geographical places in 2020 and 2021.
“Like this latest exercise, that exercise additionally gave the impression to be extremely focused, with solely a small variety of machines contaminated.”
Technically, Merdoor disguises itself as a official service and has keylogging capabilities. It might probably talk with its command-and-control (C2) server by numerous strategies and pay attention for instructions on an area port.
The backdoor is often injected into official processes and distributed by a self-extracting RAR dropper containing a susceptible binary, a malicious loader (Merdoor loader) and an encrypted file (Merdoor backdoor). Symantec additionally wrote that some dropper variants exploit older variations of official functions for DLL sideloading.
“Whereas the Merdoor backdoor seems to have been in existence for a number of years, it seems to solely have been utilized in a small variety of assaults in that point interval,” reads the advisory. “This prudent use of the instrument could point out a want by Lancefly to maintain its exercise below the radar.”
Symantec’s discovery comes a number of months after risk researchers at EclecticIQ make clear a new Dark Pink campaign focusing on authorities entities in ASEAN (Affiliation of Southeast Asian Nations) nations.
