An APT group called Lancefly has been using a “powerful” backdoor to hit government, aviation, education and telecoms organizations in South and Southeast Asia in a highly targeted, multi-year campaign.
The APT group’s malware, Merdoor, appears to have existed since 2018, according to researchers with Symantec. The backdoor has the ability to install itself as a service, act as a keylogger, communicate with the command-and-control (C2) server and listen on a local port for commands. Researchers tracked multiple incidents over the years from the APT, including campaigns in 2020 and 2021 that targeted victims in the government, communications and technology sectors, and more recent attacks starting in mid-2022 and continuing into this year. They believe that the aim behind the most recent campaign is to gather intelligence.
“This recent Lancefly activity is of note due to its use of the Merdoor backdoor, but also the low prevalence of this backdoor and the seemingly highly targeted nature of these attacks,” said researchers with Symantec’s threat hunter team in a Monday analysis. “While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period. This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar.”
Researchers are still trying to determine the initial infection vector for the APT’s most recent campaign. The earlier campaign from the group that started in 2020 revealed that the group may have used a phishing email to target victims with a lure based on the ASEAN Summit, a biannual meeting held by the members of the Association of Southeast Asian Nations where political, security, and socio-cultural development of Southeast Asian countries is discussed. While researchers are unsure of the initial infection vector for Lancefly's recent activity over the last year, they said that for government sector victims the group may have used SSH brute force attacks, and for another victim the APT may have targeted an exposed server.
“While evidence for any of these infection vectors is not definitive, it does appear to indicate that Lancefly is adaptable when it comes to the kind of infection vectors it uses,” according to researchers.
Researchers said that the malware’s dropper is typically injected into legitimate processes (perfhost.exe or svchost.exe) and contains three files, including a legitimate signed binary vulnerable to DLL search-order hijacking, a loader and an encrypted file that contains the backdoor, which is executed and connects to the C2 server. The malware abuses older versions of five different, legitimate applications for DLL sideloading, including McAfee SiteAdvisory, Avast wsc_proxy and Google Chrome frame.
Beyond Merdoor, the APT also uses several techniques in order to steal victim credentials, leveraging PowerShell to launch rundll32.exe and dump the memory of processes (a tactic typically used to dump Local Security Authority Subsystem Service, or LSASS, memory), for instance, and using a legitimate Avast tool to dump LSASS memory. Attackers have also used the WinRAR archiving tool to encrypt files before exfiltration. Finally, the group uses an updated version of a rootkit first reported on by Cisco Talos researchers in 2014 called ZXShell, a remote administration tool that is used to maintain persistence by attempting to tamper with various anti-virus products on the victim’s system. All these tools used by the APT point to motives around intelligence gathering, said researchers.
“The similarities between this recent activity and earlier activity by Lancefly indicate that the group perhaps did not realize the earlier activity had been discovered, so it was not concerned about links being made between the two,” said researchers. “Whether or not the exposure of this activity will lead to any alteration in how the group carries out its activity remains to be seen.”