The cybersecurity researchers at Symantec Threat Labs recently discovered APT hacking group has been utilizing the specialized ‘Merdoor’ backdoor malware to conduct precise and prolonged attacks on the following sectors in South and Southeast Asia since 2018:-
- Government
- Aviation
- Telecommunication
While apart from this, since 2018, Lancefly has been using the Merdoor backdoor malware in specific attacks.
Symantec researchers have observed the usage of this backdoor malware in multiple campaigns, spanning from 2020 to the first quarter of 2023, with the primary aim of spying and gathering intelligence reports.
Lancefly APT Hackers Attack Chain
Although Symantec has not identified the precise initial infection method employed by Lancefly, evidence suggests that the group has utilized techniques such as phishing emails, SSH credential brute forcing, and exploiting vulnerabilities in public-facing servers to gain unauthorized access.
The attackers inject the Merdoor backdoor through DLL side-loading into legitimate Windows processes, such as “perfhost.exe” or “svchost.exe,” to help the malware evade detection once it gains a foothold on the target system.
The Merdoor dropper contains three files, and it is a self-extracting RAR (SFX):-
- A legitimate and signed binary vulnerable to DLL search-order hijacking
- A malicious loader (Merdoor loader)
- An encrypted file (.pak) containing the final payload (Merdoor backdoor)
The Merdoor dropper, upon execution, extracts embedded files and leverages older versions of five legitimate applications to facilitate DLL sideloading for loading the Merdoor loader.
After installing itself as a service that persists between reboots, the Merdoor backdoor establishes communication with the C2 server via several supported protocols. It awaits further instructions, enabling Lancefly to maintain access and a foothold on the victim’s system.
Here below, we have mentioned all the supported communication protocols:-
Merdoor functions as a backdoor that can receive commands through local ports and records keystrokes to gather potentially useful information.
To swiftly execute scheduled tasks on remote systems through SMB, Lancefly utilizes Impacket’s ‘Atexec’ feature. At the same time, it does so as a means to propagate through the network or eliminate output files generated by previous commands.
The attackers employ memory dumping, stealing registry hives, and encrypting files with a disguised WinRAR tool, followed by likely exfiltration using Merdoor to steal credentials and extract sensitive data.
Attack Chain Tools and TTPs
Here below, we have mentioned all the attack chain tools and TTPs:-
- Impacket Atexec
- Suspicious SMB activity
- WinRAR
- LSSAS Dumper
- NBTScan
- Blackloader
- Prcloader
ZXShell Rootkit
Lancefly attacks incorporate an upgraded ZXShell rootkit, leveraging its advanced capabilities through the “FormDII.dll” loader, which enables the deployment of tailored payloads, execution of shellcode, termination of processes, and additional functionalities based on the host’s system architecture.
Lancefly uses a shared codebase for their tools, as evidenced by the common code between the rootkit’s installation and updating utility and the Merdoor loader, with the former also capable of:-
- Creating services
- Modifying the registry
- Compressing its executable to evade detection
Possible Links
Although the ZXShell rootkit has been used by multiple Chinese APT groups, including APT17 and APT41, the connection to Lancefly is tenuous due to the rootkit’s public availability for years.
The rootkit loader name “formdll.dll” used by Lancefly has been observed in a previous APT27 campaign, but it remains uncertain if this choice intentionally confuses analysts and hinders attribution efforts.
The utilization of commonly employed PlugX and ShadowPad remote access trojans (RATs), shared by multiple Chinese APT groups, provides additional support for the proposition that Lancefly has Chinese origins.
Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus