Lancefly APT Custom Backdoor Targets Government and Aviation Sectors

Written by

The advanced persistent threat (APT) group known as Lancefly has been observed deploying a custom-written backdoor in attacks targeting organizations in South and Southeast Asia.

According to new data from Symantec’s Threat Hunter Team, these campaigns have been ongoing for several years.

“Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018,” reads an advisory published by the company earlier today.

“Symantec researchers observed it being used in some activity in 2020 and 2021, as well as this more recent campaign, which continued into the first quarter of 2023. The motivation behind both these campaigns is believed to be intelligence gathering.”

Read more on groups focusing on intelligence gathering: Cranefly Hackers Use Stealthy Techniques to Deliver and Control Malware

Symantec explained that over the years, the backdoor has only appeared on a few networks and machines, indicating highly targeted usage. The attackers in this campaign would also be equipped with an updated version of the ZXShell rootkit.

“The targets in this most recent activity, which began in mid-2022 and continued into 2023, are based in South and Southeast Asia, in sectors including government, aviation, education, and telecoms,” Symantec added.

The company clarified that the Merdoor backdoor was used in attacks targeting victims in the government, communications and technology sectors in the same geographical locations in 2020 and 2021.

“Like this recent activity, that activity also appeared to be highly targeted, with only a small number of machines infected.”

Technically, Merdoor disguises itself as a legitimate service and has keylogging capabilities. It can communicate with its command-and-control (C2) server through various methods and listen for commands on a local port. 

The backdoor is typically injected into legitimate processes and distributed through a self-extracting RAR dropper containing a vulnerable binary, a malicious loader (Merdoor loader) and an encrypted file (Merdoor backdoor). Symantec also wrote that some dropper variants exploit older versions of legitimate applications for DLL sideloading.

“While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period,” reads the advisory. “This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar.”

Symantec’s discovery comes a few months after threat researchers at EclecticIQ shed light on a new Dark Pink campaign targeting government entities in ASEAN (Association of Southeast Asian Nations) countries.

What’s hot on Infosecurity Magazine?