The Lancefly APT group has emerged as a formidable threat, employing a custom-written backdoor known as Merdoor, which is unleashing havoc on organizations across South and Southeast Asia.
Symantec researchers have shed light on this ongoing, highly-targeted campaign that targets government bodies, aviation companies, educational institutions, and telecom sectors. Let’s delve into the details and unravel the sophisticated techniques used by Lancefly APT.
Merdoor: The Sinister Backdoor
Evolution and Utilization
Symantec’s analysis highlights that Merdoor, a powerful backdoor, has been in existence since 2018. Its deployment was observed in 2020, 2021, and most recently in the first quarter of 2023, suggesting a sustained and targeted offensive. This advanced malware is deployed selectively, infiltrating only a limited number of networks and machines over the years.
Capabilities and Functionality
Merdoor boasts an impressive array of features, including the ability to install itself as a service, keylogging capabilities, diverse communication methods with its command-and-control server (HTTP, HTTPS, DNS, UDP, TCP), and the capacity to listen for commands on a local port.
To penetrate victim systems, Merdoor is injected into legitimate processes such as perfhost.exe or svchost.exe, enabling it to remain undetected within the system.
The Intricate Attack Chain
Deployment and Payload
The Merdoor dropper is disseminated as a self-extracting RAR (SFX) file, comprising three essential components: a vulnerable and signed binary susceptible to DLL search-order hijacking, a malicious loader (Merdoor loader), and an encrypted file (.pak) housing the final payload (Merdoor backdoor).
Initial Access Techniques
The attack chain employed in 2020 involved phishing emails leveraging the 37th ASEAN Summit as bait. Recent attacks by the APT group likely employed phishing lures, SSH brute-forcing, or the exploitation of exposed public-facing servers.
Lancefly APT’s Arsenal of Non-Malware Techniques
Credential Theft Strategies
The Lancefly APT group employs multiple non-malware techniques for credential theft on compromised machines, including:
- PowerShell usage to launch rundll32.exe for memory dumping, particularly targeting LSASS memory.
- Utilization of Reg.exe to dump the SAM and SYSTEM registry hives.
- Installation of a legitimate Avast tool by the attackers to facilitate LSASS memory dumping.
File Exfiltration Tactics
Lancefly APT ingeniously employs a “masqueraded version” of WinRAR to stage and encrypt files before exfiltration, further complicating detection and analysis.
Connections and Future Implications
Links to Other APT Groups
Researchers investigating possible connections discovered that the ZXShell rootkit used by the Lancefly APT group shares a signature with the “Wemade Entertainment Co. Ltd” certificate. This certificate was previously associated with the China-linked APT41 (aka Blackfly/Grayfly) group. Additionally, the HiddenLynx/APT17 group has also utilized the ZXShell backdoor. Notably, the source code for ZXShell is now publicly available, potentially allowing wider access.
Tools and Motivations
The Lancefly APT group has exhibited the use of both PlugX and ShadowPad backdoors, which are typically linked to APT operations originating from China. The choice of tools and sectors targeted strongly indicates the group’s primary objective is intelligence gathering.
As Lancefly APT’s campaign continues unabated, the revelation of their sophisticated tactics and the Merdoor backdoor sheds light on the group’s intent. While their similarities with earlier activities suggest they may not have realized they were exposed, the impact of this exposure on future operations remains uncertain. Vigilance and updated security measures are crucial to mitigating the risk posed by this relentless threat.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.