An Advanced Persistent Threat (APT) group known as Lancefly has been observed deploying custom-crafted backdoors in attacks targeting organizations in South and Southeast Asia.
These campaigns have been ongoing for several years, according to new data from Symantec’s Threat Hunter team.
“Lancefly’s custom malware, dubbed Merdoor, is a powerful backdoor that appears to have been around since 2018,” reads an advisory published today by the company.
“Symantec researchers observed it used in some activity in 2020 and 2021, and in a recent campaign that lasted through the first quarter of 2023. One motive is believed to be information gathering.”
Read more about information-gathering focused groups: Cranefly Hackers Use Stealthy Techniques to Deliver and Control Malware
Over the years, Symantec said the backdoor appeared only on a small number of networks and machines, indicating highly targeted usage. Attackers in this campaign may also be armed with an updated version of the ZXShell rootkit.
“Starting in mid-2022 and continuing through 2023, the latest targets of the campaign are based in South and Southeast Asia and target sectors such as government, aviation, education and telecommunications,” Symantec added.
The company revealed that the Merdoor backdoor was used in attacks in 2020 and 2021 targeting victims in the same geographic locations in the government, telecommunications and technology sectors.
“Like this recent campaign, this campaign appears to be highly targeted, with only a small number of machines infected.”
Technically, Merdoor pretends to be a legitimate service and has keylogging capabilities. It can communicate with a command and control (C2) server in various ways and listen for commands on a local port.
Backdoors are typically injected into legitimate processes and distributed through self-extracting RAR droppers containing vulnerable binaries, malicious loaders (Merdoor loader), and encrypted files (Merdoor backdoor). Symantec also writes that some dropper variants utilize older versions of legitimate applications to sideload his DLLs.
“The Merdoor backdoor appears to have been around for several years, but only appears to have been used in a small number of attacks during that period,” the advisory reads. “The judicious use of this tool may indicate Lancefly’s desire to keep its activities low profile.”
Symantec’s discovery comes months after EclecticIQ threat researchers revealed a new Dark Pink campaign targeting government agencies in ASEAN (Association of Southeast Asian Nations) countries.
