New APT targets South and Southeast Asia with custom-written backdoor

Lancefly, an APT group, is using a custom-written backdoor in attacks targeting government, aviation, education, and telecom organizations in South and Southeast Asia in an activity that has been ongoing for the past five years, according to Symantec. The group has been seen carrying out the activity with the motive of intelligence gathering.

Lancefly has been deploying the Merdoor backdoor in highly targeted attacks since 2018 to establish persistence, execute commands, and perform keylogging on corporate networks.

“Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018,” Symantec said in the blog, adding that researchers observed Merdoor being used in some activity in 2020, 2021, and this more recent campaign, which continued into the first quarter of 2023. 

The backdoor is highly targeted and used selectively. “This recent Lancefly activity is of note due to its use of the Merdoor backdoor, but also the low prevalence of this backdoor and the seemingly highly targeted nature of these attacks,” the blog said. 

Merdoor is a powerful backdoor

The Merdoor backdoor is considered a powerful backdoor by Symantec researchers. The initial vector used by the APT group is still not clear, but researchers observed in earlier campaigns that the group may have used a phishing email, SSH credential brute-forcing, and public-facing server vulnerabilities exploitation as initial infection vectors.

After the group establishes a presence on the victims’ system, the Merdoor backdoor is injected via DLL sideloading into legitimate Windows processes and contains three files: a legitimate signed binary vulnerable to DLL search-order hijacking, a loader, and an encrypted file that contains the backdoor. Upon execution, the backdoor establishes communications with the command-and-control server using HTTP, HTTPS, DNS, UDP, and TCP, and waits for instructions.

The attackers attempt to steal credentials by dumping the LSASS process’ memory or stealing the SAM and SYSTEM registry hives, the blog said. “A masqueraded WinRAR (wmiprvse.exe) file is then used to stage and encrypt files, presumably prior to exfiltration.”

“We do not actually see the files being exfiltrated from victim networks, but we presume the Merdoor backdoor itself is used to exfiltrate them,” the blog said.

The APT also uses a new version of the ZXShell rootkit that appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable, Symantec said.

Possible links to China

The ZXShell rootkit used by Lancefly is signed by the certificate “Wemade Entertainment Co. Ltd”, which was previously reported to be associated with APT41 (aka Blackfly/Grayfly), the blog said.

However, Chinese APT groups such as APT41 often share certificates with other APT groups. The ZXShell backdoor has also previously been used by the HiddenLynx/APT17 group, “but as the source code of ZXShell is now publicly available this does not provide a definitive link between these two groups,” the blog said.

The ZXShell rootkit loader component used by the APT has the name “formdll.dll” and it can read the file “Form.hlp” and execute its contents as shellcode. “Those same files were mentioned as being used in a previous report detailing activity by the Iron Tiger (aka Budworm/APT27) group,” the blog said, adding that the prevalence of such files is very low, which may indicate a potential link between that campaign and this more recent activity.

ShadowPad is also used by these attackers. ShadowPad is a modular RAT believed to be exclusively used by Chinese APT groups, according to the blog. “While these overlaps and shared tools may indicate some links between Lancefly activity and activity by other APT groups, none of the overlaps are strong enough to attribute this activity and the development of the Merdoor backdoor to an already-known attack group.”