Saturday, March 2, 2024

Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs

The cybersecurity researchers at Symantec Threat Labs recently discovered APT hacking group has been utilizing the specialized ‘Merdoor’ backdoor malware to conduct precise and prolonged attacks on the following sectors in South and Southeast Asia since 2018:-

  • Government
  • Aviation
  • Telecommunication

While apart from this, since 2018, Lancefly has been using the Merdoor backdoor malware in specific attacks.

Symantec researchers have observed the usage of this backdoor malware in multiple campaigns, spanning from 2020 to the first quarter of 2023, with the primary aim of spying and gathering intelligence reports.

Lancefly APT Hackers Attack Chain

Although Symantec has not identified the precise initial infection method employed by Lancefly, evidence suggests that the group has utilized techniques such as phishing emails, SSH credential brute forcing, and exploiting vulnerabilities in public-facing servers to gain unauthorized access.

The attackers inject the Merdoor backdoor through DLL side-loading into legitimate Windows processes, such as “perfhost.exe” or “svchost.exe,” to help the malware evade detection once it gains a foothold on the target system.

The Merdoor dropper contains three files, and it is a self-extracting RAR (SFX):-

  • A legitimate and signed binary vulnerable to DLL search-order hijacking
  • A malicious loader (Merdoor loader)
  • An encrypted file (.pak) containing the final payload (Merdoor backdoor)

The Merdoor dropper, upon execution, extracts embedded files and leverages older versions of five legitimate applications to facilitate DLL sideloading for loading the Merdoor loader.

After installing itself as a service that persists between reboots, the Merdoor backdoor establishes communication with the C2 server via several supported protocols. It awaits further instructions, enabling Lancefly to maintain access and a foothold on the victim’s system.

Here below, we have mentioned all the supported communication protocols:-

  • HTTP
  • DNS
  • UDP
  • TCP

Merdoor functions as a backdoor that can receive commands through local ports and records keystrokes to gather potentially useful information.

To swiftly execute scheduled tasks on remote systems through SMB, Lancefly utilizes Impacket’s ‘Atexec’ feature. At the same time, it does so as a means to propagate through the network or eliminate output files generated by previous commands.

The attackers employ memory dumping, stealing registry hives, and encrypting files with a disguised WinRAR tool, followed by likely exfiltration using Merdoor to steal credentials and extract sensitive data.

Attack Chain Tools and TTPs

Here below, we have mentioned all the attack chain tools and TTPs:-

  • Impacket Atexec
  • Suspicious SMB activity
  • WinRAR
  • LSSAS Dumper
  • NBTScan
  • Blackloader
  • Prcloader

ZXShell Rootkit

Lancefly attacks incorporate an upgraded ZXShell rootkit, leveraging its advanced capabilities through the “FormDII.dll” loader, which enables the deployment of tailored payloads, execution of shellcode, termination of processes, and additional functionalities based on the host’s system architecture.

Lancefly uses a shared codebase for their tools, as evidenced by the common code between the rootkit’s installation and updating utility and the Merdoor loader, with the former also capable of:-

  • Creating services
  • Modifying the registry
  • Compressing its executable to evade detection

Possible Links

Although the ZXShell rootkit has been used by multiple Chinese APT groups, including APT17 and APT41, the connection to Lancefly is tenuous due to the rootkit’s public availability for years.

The rootkit loader name “formdll.dll” used by Lancefly has been observed in a previous APT27 campaign, but it remains uncertain if this choice intentionally confuses analysts and hinders attribution efforts.

The utilization of commonly employed PlugX and ShadowPad remote access trojans (RATs), shared by multiple Chinese APT groups, provides additional support for the proposition that Lancefly has Chinese origins.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


Latest articles

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles