Date: 18 May 2023

Descriptions

Symantec researchers reported that the Lancefly APT group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, as part of a long-running campaign.

The highly-targeted attacks aim at organizations in government, aviation, education, and telecom sectors.

“Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018.”

Merdoor is a fully-featured backdoor that supports multiple capabilities, including installing itself as a service, keylogging, a variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), and the ability to listen on a local port for commands.

The instances of the Merdoor backdoor analyzed by the researchers only differ for the embedded and encrypted configuration, which includes the C2 communication method, service details, and the installation directory.

The experts reported that the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.

The Merdoor dropper spread as a self-extracting RAR (SFX) that contains three files, a legitimate and signed binary vulnerable to DLL search-order hijacking, a malicious loader (Merdoor loader), and an encrypted file (.pak) containing final payload (Merdoor backdoor).

Lancefly APT used multiple non-malware techniques for credential theft on victim machines, including:

• PowerShell was used to launch rundll32.exe in order to dump the memory of a process using the MiniDump function of comsvcs.dll. This technique is often used to dump LSASS memory.

• Reg.exe was used to dump the SAM and SYSTEM registry hives.

• A legitimate tool by Avast was installed by the attackers and used to dump LSASS memory

The group was spotted using a “masqueraded version” of WinRAR to stage and encrypt files before exfiltration.

Reference

https://securityaffairs.com/146274/apt/lancefly-apt-merdoor-backdoor.html