Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Stealthy MerDoor malware uncovered after five years of attacks

A new APT hacking group dubbed Lancefly uses a custom ‘Merdoor’ backdoor malware to target government, aviation, and telecommunication organizations in South and Southeast Asia.

The Symantec Threat Labs revealed today that Lancefly has been deploying the stealthy Merdoor backdoor in highly targeted attacks since 2018 to establish persistence, execute commands, and perform keylogging on corporate networks.

“Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018,” reveals the new Symantec report.

“Symantec researchers observed it being used in some activity in 2020 and 2021, as well as this more recent campaign, which continued into the first quarter of 2023. The motivation behind both these campaigns is believed to be intelligence gathering.”

Lancefly is believed to focus on cyber-espionage, aiming to collect intelligence from its victims’ networks over extensive periods.

A wide attack chain

Symantec hasn’t discovered the initial infection vector used by Lancefly. However, it has found evidence that the threat group uses phishing emails, SSH credentials brute forcing, and public-facing server vulnerabilities exploitation for unauthorized access over the years.

Once the attackers establish a presence on the target’s system, they inject the Merdoor backdoor via DLL side-loading into either ‘perfhost.exe’ or ‘svchost.exe,’ both legitimate Windows processes that help the malware evade detection.

Legitimate apps used for sideloading Merdoor
Legitimate software used for side-loading Merdoor (Symantec)

Merdoor helps Lancefly maintain their access and foothold on the victim’s system, installing itself as a service that persists between reboots.

Merdoor then establishes communications with the C2 server using one of the several supported communication protocols (HTTP, HTTPS, DNS, UDP, and TCP) and waits for instructions.

Apart from supporting data exchange with the C2 server, Merdoor can also accept commands by listening to local ports; however, Symantec’s analysts have not provided any specific examples.

The backdoor also records user keystrokes to capture potentially valuable information such as usernames, passwords, or other secrets.

Lancefly has also been observed using Impacket’s ‘Atexec’ feature to immediately execute a scheduled task on a remote machine via SMB. It is believed that the threat actors are using this feature to spread laterally to other devices on the network or delete output files created from other commands.

The attackers attempt to steal credentials by dumping the LSASS process’s memory or stealing the SAM and SYSTEM registry hives.

Finally, Lancefly encrypts stolen files using a masqueraded version of the WinRAR archiving tool and then exfiltrates the data, most likely using Merdoor.

ZXShell rootkit

The use of a newer, lighter, and more feature-rich version of the ZXShell rootkit was also observed in Lancefly attacks.

The rootkit’s loader, “FormDII.dll,” exports functions that can be used to drop payloads that match the host’s system architecture, read and execute shellcode from a file, kill processes, and more.

Advertisement. Scroll to continue reading.

The rootkit also uses an installation and updating utility that shares common code with the Merdoor loader, indicating that Lancefly uses a shared codebase for their tools.

ZXShell’s installation functionality supports service creation, hijacking, and launching, registry modification, and compressing a copy of its own executable for evasion and resilience.

Links to China

The ZXShell rootkit loosely connects Lancefly to other Chinese APT groups that have used the tool in attacks, including APT17 and APT41.

However, the link is weak because the rootkit’s source code has been publicly available for several years.

Lancefly’s “formdll.dll” name for the rootkit loader has been previously reported in a campaign of APT27, aka “Budworm.”

However, it is unclear if this is a purposeful choice to misdirect analysts and make attribution harder.

An element that further backs the hypothesis of Lancefly being of Chinese origin is the observed use of the PlugX and ShadowPad RATs (remote access trojans), which are shared among several Chinese APT groups.

Copyright 2021 Associated Press. All rights reserved.

Source: https://www.bleepingcomputer.com/news/security/stealthy-merdoor-malware-uncovered-after-five-years-of-attacks/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Business News

DUBAI, United Arab Emirates (AP) — The United States and Iran reached a tentative agreement this week that will eventually see five detained Americans in Iran...

Business News

SAN DIEGO (AP) — Two U.S. Navy sailors were charged Thursday with providing sensitive military information to China — including details on wartime exercises,...

Business News

U.S. Secretary of State Antony Blinken shakes hands with Chinese President Xi Jinping in the Great Hall of the People in Beijing, China, Monday,...

Business News

British Prime Minister Rishi Sunak poses for pictures with Screech the Washington Nationals Mascot while attending the Washington Nationals v Arizona Diamondbacks baseball at...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO