Tuesday, June 18, 2024

Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs

The cybersecurity researchers at Symantec Threat Labs recently discovered APT hacking group has been utilizing the specialized ‘Merdoor’ backdoor malware to conduct precise and prolonged attacks on the following sectors in South and Southeast Asia since 2018:-

  • Government
  • Aviation
  • Telecommunication

While apart from this, since 2018, Lancefly has been using the Merdoor backdoor malware in specific attacks.

Symantec researchers have observed the usage of this backdoor malware in multiple campaigns, spanning from 2020 to the first quarter of 2023, with the primary aim of spying and gathering intelligence reports.

Lancefly APT Hackers Attack Chain

Although Symantec has not identified the precise initial infection method employed by Lancefly, evidence suggests that the group has utilized techniques such as phishing emails, SSH credential brute forcing, and exploiting vulnerabilities in public-facing servers to gain unauthorized access.

The attackers inject the Merdoor backdoor through DLL side-loading into legitimate Windows processes, such as “perfhost.exe” or “svchost.exe,” to help the malware evade detection once it gains a foothold on the target system.

The Merdoor dropper contains three files, and it is a self-extracting RAR (SFX):-

  • A legitimate and signed binary vulnerable to DLL search-order hijacking
  • A malicious loader (Merdoor loader)
  • An encrypted file (.pak) containing the final payload (Merdoor backdoor)

The Merdoor dropper, upon execution, extracts embedded files and leverages older versions of five legitimate applications to facilitate DLL sideloading for loading the Merdoor loader.

After installing itself as a service that persists between reboots, the Merdoor backdoor establishes communication with the C2 server via several supported protocols. It awaits further instructions, enabling Lancefly to maintain access and a foothold on the victim’s system.

Here below, we have mentioned all the supported communication protocols:-

  • HTTP
  • DNS
  • UDP
  • TCP

Merdoor functions as a backdoor that can receive commands through local ports and records keystrokes to gather potentially useful information.

To swiftly execute scheduled tasks on remote systems through SMB, Lancefly utilizes Impacket’s ‘Atexec’ feature. At the same time, it does so as a means to propagate through the network or eliminate output files generated by previous commands.

The attackers employ memory dumping, stealing registry hives, and encrypting files with a disguised WinRAR tool, followed by likely exfiltration using Merdoor to steal credentials and extract sensitive data.

Attack Chain Tools and TTPs

Here below, we have mentioned all the attack chain tools and TTPs:-

  • Impacket Atexec
  • Suspicious SMB activity
  • WinRAR
  • LSSAS Dumper
  • NBTScan
  • Blackloader
  • Prcloader

ZXShell Rootkit

Lancefly attacks incorporate an upgraded ZXShell rootkit, leveraging its advanced capabilities through the “FormDII.dll” loader, which enables the deployment of tailored payloads, execution of shellcode, termination of processes, and additional functionalities based on the host’s system architecture.

Lancefly uses a shared codebase for their tools, as evidenced by the common code between the rootkit’s installation and updating utility and the Merdoor loader, with the former also capable of:-

  • Creating services
  • Modifying the registry
  • Compressing its executable to evade detection

Possible Links

Although the ZXShell rootkit has been used by multiple Chinese APT groups, including APT17 and APT41, the connection to Lancefly is tenuous due to the rootkit’s public availability for years.

The rootkit loader name “formdll.dll” used by Lancefly has been observed in a previous APT27 campaign, but it remains uncertain if this choice intentionally confuses analysts and hinders attribution efforts.

The utilization of commonly employed PlugX and ShadowPad remote access trojans (RATs), shared by multiple Chinese APT groups, provides additional support for the proposition that Lancefly has Chinese origins.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles