South- and Southeast Asia-based organizations in government, aviation, education, and telecommunication sectors are targeted in ongoing attacks orchestrated by a threat actor dubbed “Lancefly” possibly connected to China.
The attacks, discovered by Symantec threat intelligence team, are part of a broader, highly targeted cyber-espionage campaign, which began in mid-2022 and continued into the first quarter of 2023.
The campaign involved the group’s custom tool named “Merdoor,” a fully-featured backdoor that appears to have been developed in 2018. Symantec researchers observed it being used in some activity in 2020 and 2021 targeting the government, communications, and technology sectors.
The Merdoor backdoor is capable of installing itself as a service, keylogging, listening on a local port for commands, and using a variety of methods to communicate with its command and control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP).
While the exact infection vector used by Lancefly is not clear at present, the group is suspected to gain initial access via phishing, SSH brute-forcing, or the exploitation of internet-exposed servers.
Lancefly has also been observed using an updated version of the ZXShell rootkit, first reported in 2014 by Cisco Talos researchers, previously linked to a Chinese threat actor APT41 (aka Blackfly/Grayfly), as well as the PlugX and ShadowPad remote access trojans. ShadowPad is a modular RAT believed to be exclusively used by Chinese APT groups.
“However, it is known that Chinese APT groups, such as APT41, often share certificates with other APT groups. The ZXShell backdoor has also previously been used by the HiddenLynx/APT17 group, but as the source code of ZXShell is now publicly available this does not provide a definitive link between these two groups,” Symantec noted.
“This recent Lancefly activity is of note due to its use of the Merdoor backdoor, but also the low prevalence of this backdoor and the seemingly highly targeted nature of these attacks. While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period. This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar,” the researchers said.
