APT group Lancefly is using a custom-written backdoor to target organizations across government, education, telecom, and aviation sectors. Named Merdoor, the powerful backdoor has been in use since 2018, revealed security experts.
What has been found?
The Merdoor backdoor is being used selectively in highly targeted attacks on a handful of networks and a small number of systems.
The attackers behind the campaign have access to an updated version of the ZXShell rootkit.
The new version of ZXShell is smaller in size, has additional functions, and targets antivirus software to disable them.
The rootkit is signed by the certificate ‘Wemade Entertainment Co. Ltd,’ which was linked to APT41 in August 2019.
The exact initial intrusion vector is not clear at present, though attackers are believed to have used SSH brute-forcing, phishing lures, or the exploitation of internet-exposed servers.
Attack TTPs
The attack chains lead to the deployment of ZXShell and Merdoor.
Malware communicate with a server controlled by the attacker for further commands and log keystrokes.
The threat group used different tools for various goals in their attacks such as Impacket Atexec, WinRAR, LSSAS Dumper, NBTScan, Blackloader, and Prcloader. A suspicious SMB activity was also spotted during these attacks.
Lancefly APT also used PlugX and its successor ShadowPad in the campaign, which is a modular malware privately shared between various state-sponsored actors from China, since 2015.
Conclusion
The Merdoor backdoor is in use for several years and employed in a small number of highly targeted attacks. To combat this highly focused Lancefly group, organizations require to deploy a proactive deployment of multi-layer defense, with regular assessment of the evolving threats.