15 May 2023

Lancefly APT targets government, aviation sector with custom backdoor


Lancefly APT targets government, aviation sector with custom backdoor

South- and Southeast Asia-based organizations in government, aviation, education, and telecommunication sectors are targeted in ongoing attacks orchestrated by a threat actor dubbed “Lancefly” possibly connected to China.

The attacks, discovered by Symantec threat intelligence team, are part of a broader, highly targeted cyber-espionage campaign, which began in mid-2022 and continued into the first quarter of 2023.

The campaign involved the group’s custom tool named “Merdoor,” a fully-featured backdoor that appears to have been developed in 2018. Symantec researchers observed it being used in some activity in 2020 and 2021 targeting the government, communications, and technology sectors.

The Merdoor backdoor is capable of installing itself as a service, keylogging, listening on a local port for commands, and using a variety of methods to communicate with its command and control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP).

While the exact infection vector used by Lancefly is not clear at present, the group is suspected to gain initial access via phishing, SSH brute-forcing, or the exploitation of internet-exposed servers.

Lancefly has also been observed using an updated version of the ZXShell rootkit, first reported in 2014 by Cisco Talos researchers, previously linked to a Chinese threat actor APT41 (aka Blackfly/Grayfly), as well as the PlugX and ShadowPad remote access trojans. ShadowPad is a modular RAT believed to be exclusively used by Chinese APT groups.

“However, it is known that Chinese APT groups, such as APT41, often share certificates with other APT groups. The ZXShell backdoor has also previously been used by the HiddenLynx/APT17 group, but as the source code of ZXShell is now publicly available this does not provide a definitive link between these two groups,” Symantec noted.

“This recent Lancefly activity is of note due to its use of the Merdoor backdoor, but also the low prevalence of this backdoor and the seemingly highly targeted nature of these attacks. While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period. This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar,” the researchers said.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024