11.8 C
Thursday, April 25, 2024

Unveiling the Power-Packed Merdoor: Lancefly APT Group’s Custom Backdoor Wreaks Havoc in South and Southeast Asia

APT group

The Lancefly APT group has emerged as a formidable threat, employing a custom-written backdoor known as Merdoor, which is unleashing havoc on organizations across South and Southeast Asia.

Symantec researchers have shed light on this ongoing, highly-targeted campaign that targets government bodies, aviation companies, educational institutions, and telecom sectors. Let’s delve into the details and unravel the sophisticated techniques used by Lancefly APT.

- Advertisement -

Merdoor: The Sinister Backdoor

Evolution and Utilization

Symantec’s analysis highlights that Merdoor, a powerful backdoor, has been in existence since 2018. Its deployment was observed in 2020, 2021, and most recently in the first quarter of 2023, suggesting a sustained and targeted offensive. This advanced malware is deployed selectively, infiltrating only a limited number of networks and machines over the years.

Capabilities and Functionality

Merdoor boasts an impressive array of features, including the ability to install itself as a service, keylogging capabilities, diverse communication methods with its command-and-control server (HTTP, HTTPS, DNS, UDP, TCP), and the capacity to listen for commands on a local port.

Infection Techniques

To penetrate victim systems, Merdoor is injected into legitimate processes such as perfhost.exe or svchost.exe, enabling it to remain undetected within the system.

The Intricate Attack Chain

Deployment and Payload

The Merdoor dropper is disseminated as a self-extracting RAR (SFX) file, comprising three essential components: a vulnerable and signed binary susceptible to DLL search-order hijacking, a malicious loader (Merdoor loader), and an encrypted file (.pak) housing the final payload (Merdoor backdoor).

Initial Access Techniques

The attack chain employed in 2020 involved phishing emails leveraging the 37th ASEAN Summit as bait. Recent attacks by the APT group likely employed phishing lures, SSH brute-forcing, or the exploitation of exposed public-facing servers.

Lancefly APT’s Arsenal of Non-Malware Techniques

Credential Theft Strategies

The Lancefly APT group employs multiple non-malware techniques for credential theft on compromised machines, including:

  • PowerShell usage to launch rundll32.exe for memory dumping, particularly targeting LSASS memory.
  • Utilization of Reg.exe to dump the SAM and SYSTEM registry hives.
  • Installation of a legitimate Avast tool by the attackers to facilitate LSASS memory dumping.

File Exfiltration Tactics

Lancefly APT ingeniously employs a “masqueraded version” of WinRAR to stage and encrypt files before exfiltration, further complicating detection and analysis.

Connections and Future Implications

Links to Other APT Groups

Researchers investigating possible connections discovered that the ZXShell rootkit used by the Lancefly APT group shares a signature with the “Wemade Entertainment Co. Ltd” certificate. This certificate was previously associated with the China-linked APT41 (aka Blackfly/Grayfly) group. Additionally, the HiddenLynx/APT17 group has also utilized the ZXShell backdoor. Notably, the source code for ZXShell is now publicly available, potentially allowing wider access.

Tools and Motivations

The Lancefly APT group has exhibited the use of both PlugX and ShadowPad backdoors, which are typically linked to APT operations originating from China. The choice of tools and sectors targeted strongly indicates the group’s primary objective is intelligence gathering.


As Lancefly APT’s campaign continues unabated, the revelation of their sophisticated tactics and the Merdoor backdoor sheds light on the group’s intent. While their similarities with earlier activities suggest they may not have realized they were exposed, the impact of this exposure on future operations remains uncertain. Vigilance and updated security measures are crucial to mitigating the risk posed by this relentless threat.

Website | + posts

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.


Also Read