Governments, aviation, education and telecommunications sectors in South and Southeast Asia have come under surveillance by a new hacking group as part of a targeted campaign that began in mid-2022 and lasted through the first quarter of 2023. I’m here.
Symantec, a Broadcom Software company, tracks this activity under an insect-themed company name. lancefraian attack using a “powerful” backdoor called Merdoor.
Evidence collected so far indicates that custom implants were in use as far back as 2018. Based on the tools and victim patterns, the ultimate goal of this campaign is assessed to be information gathering.
“The backdoor is used very selectively, appearing on only a few networks and a few machines over the years, and its use appears to be highly targeted,” Symantec said in The Hacker. As stated in the analysis shared with the news.
“The attackers in this campaign also have access to an updated version of the ZXShell rootkit.”
The exact intrusion vector used initially is not clear at this time, but it is believed to have included the use of phishing lures, SSH brute force attacks, or exploitation of servers exposed to the internet.
The attack chain ultimately leads to the deployment of ZXShell and Merdoor. It is a fully-featured malware that can communicate with attacker-controlled servers to execute further commands and record keystrokes.
ZXShell is a rootkit with extensive capabilities for collecting sensitive data from infected hosts, first documented by Cisco in October 2014. ZXShell’s use has in the past been associated with various Chinese actors such as APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda).
“Since the source code for this rootkit is publicly available, it may be used by several different groups,” Symantec said. “The new version of the rootkit used by Lancefly appears to be smaller in size, but also has additional functionality and is targeted to disable additional antivirus software.”
Another Chinese link comes from the fact that the ZXShell rootkit is signed by the certificate “Wemade Entertainment Co. Ltd”, which was associated with APT41 (aka Winnti) by Mandiant in August 2029. It was previously reported that
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
Lancefly intrusions have also been observed using PlugX and its successor ShadowPad. ShadowPad is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015.
That said, attribution to specific known attack crews has also been known to be difficult due to the widespread sharing of certificates and tools among Chinese state-backed groups.
“The Merdoor backdoor appears to have been around for several years, but only a handful of attacks appear to have been used during that time,” notes Symantec. “The judicious use of this tool may indicate Lancefly’s desire to keep its activities low profile.”
