The Lancefly Enigma: Unveiling the Stealthy Merdoor Backdoor Attacks

The researchers from Symantec, by Broadcom Software, reveal that Lancefly, a newly recognized advanced persistent threat (APT) group, has been deploying a powerful custom-written backdoor named Merdoor to launch targeted cyber-attacks on organizations across South and Southeast Asia. The primary motivation behind these campaigns is believed to be intelligence gathering.

Merdoor believed to be operational since 2018, is a sophisticated backdoor that has been selectively used, exhibiting a highly targeted approach to cyber espionage. Besides the conventional backdoor functionality such as keylogging, Merdoor can listen for local port commands, communicate with its command-and-control (C&C) server, and install itself as a service. Interestingly, instances of the backdoor seem to be identical except for the encrypted configuration determining the C&C communication method, service details, and installation directory. The backdoor is typically injected into legitimate processes, adding a layer of stealth to its operations.

The modus operandi of Lancefly seems to be adaptable with regard to the initial infection vector. From phishing emails to SSH brute-forcing or exploiting exposed public-facing servers, the APT group has displayed a diverse range of techniques to infiltrate their victim’s networks. In addition to this, the group utilizes non-malware techniques and masqueraded legitimate tools for credential theft, effectively evading detection.

A characteristic Merdoor attack chain commences with injection into either perfhost.exe or svchost.exe, followed by suspicious activity and the backdoor establishing contact with its C&C server. Subsequently, suspicious living-off-the-land activity and staging of files for exfiltration take place.

In addition to Merdoor, the Lancefly APT group also has access to an updated version of the ZXShell rootkit, a formidable tool that continues to evolve, having additional functions and the capability to disable targeted antivirus software.

Traces of overlap with other notorious APT groups, such as APT41 (aka Blackfly/Grayfly), HiddenLynx/APT17, and Iron Tiger (aka Budworm/APT27), have been noticed, thanks to shared certificates, tools, and techniques. However, the evidence isn’t definitive enough to conclusively link Lancefly to these groups.

Lancefly’s activities are particularly noteworthy given the low prevalence of Merdoor and the targeted nature of the attacks. This suggests a strategic choice by the group to maintain a low profile, thereby minimizing the chances of detection. The sectors targeted and tools used are indicative of a robust intelligence-gathering operation. The APT group’s future activities, especially in light of increased scrutiny, remain to be seen.