Threat Actor Uses Merdoor Backdoor to Hit Asian Orgs

Lancefly APT Group Targets Southeast Asia Organizations With Custom-Written Malware
Threat Actor Uses Merdoor Backdoor to Hit Asian Orgs
Image: Shutterstock

A threat actor is using a custom-made backdoor to target organizations operating in South and Southeast Asia. Sectors at immediate risk include government, aviation, education and telecommunications.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The Lancefly ATP group uses custom-written malware dubbed Merdoor by researchers at Symantec's Threat Hunter Team.

"The motivation behind previous campaigns is believed to be intelligence gathering," the researchers said.

Attackers in the latest campaign have access to an updated version of the ZXShell rootkit, capable of disabling additional antivirus software.

Merdoor's functionality includes keylogging and using various methods to communicate with its command-and-control server, and it is capable of listening on a local port for commands.

Researchers found that instances of the Merdoor backdoor are identical except for its communication method with the C2 server, service details and the installation directory. They said the backdoor typically runs its code into the legitimate Windows processes perfhost.exe and svchost.exe.

The Merdoor dropper is also a self-extracting archive that contains three files: a signed binary vulnerable to DLL search-order hijacking, a malicious loader known as Merdoor loader, and an encrypted file containing final payload, which is the Merdoor backdoor.

When executed, the dropper extracts embedded files and runs a legitimate binary to load the Merdoor loader. The researchers saw the dropper using older versions of five different legitimate applications for DLL sideloading, including McAfee SiteAdvisor, Sophos SafeStore Restore, Google Chrome Frame, Avast wsc_proxy and Norton Identity Safe.

The ZXShell rootkit used by Lancefly is signed by the certificate "Wemade Entertainment Co. Ltd," previously associated with APT41, also known as BlackFly.

"It is known that Chinese APT groups, such as APT41, often share certificates with other APT groups. The ZXShell backdoor has also previously been used by the HiddenLynx/APT17 group, but as the source code of ZXShell is now publicly available this does not provide a definitive link between these two groups," the researchers said.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.