Lancefly APT Custom Backdoor Targets Government and Aviation Sectors

The superior persistent threat (APT) group recognized as Lancefly has been observed deploying a custom-composed backdoor in attacks focusing on companies in South and Southeast Asia.

In accordance to new facts from Symantec’s Risk Hunter Team, these campaigns have been ongoing for various several years.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

“Lancefly’s tailor made malware, which we have dubbed Merdoor, is a impressive backdoor that seems to have existed considering the fact that 2018,” reads an advisory published by the organization previously right now.

“Symantec researchers observed it remaining utilised in some activity in 2020 and 2021, as perfectly as this more recent campaign, which ongoing into the 1st quarter of 2023. The drive behind both these campaigns is considered to be intelligence collecting.”

Study much more on teams focusing on intelligence collecting: Cranefly Hackers Use Stealthy Tactics to Supply and Manage Malware

Symantec spelled out that over the many years, the backdoor has only appeared on a number of networks and devices, indicating extremely specific usage. The attackers in this campaign would also be geared up with an up to date model of the ZXShell rootkit.

“The targets in this most the latest activity, which began in mid-2022 and ongoing into 2023, are dependent in South and Southeast Asia, in sectors which include govt, aviation, training, and telecoms,” Symantec included.

The company clarified that the Merdoor backdoor was used in attacks focusing on victims in the governing administration, communications and technology sectors in the very same geographical places in 2020 and 2021.

“Like this recent exercise, that action also appeared to be remarkably focused, with only a smaller quantity of machines infected.”

Technically, Merdoor disguises by itself as a authentic company and has keylogging abilities. It can connect with its command-and-control (C2) server by means of various solutions and pay attention for instructions on a area port. 

The backdoor is generally injected into legitimate procedures and dispersed as a result of a self-extracting RAR dropper that contains a vulnerable binary, a malicious loader (Merdoor loader) and an encrypted file (Merdoor backdoor). Symantec also wrote that some dropper variants exploit more mature versions of respectable applications for DLL sideloading.

“While the Merdoor backdoor appears to have been in existence for several decades, it seems to only have been made use of in a tiny quantity of attacks in that time interval,” reads the advisory. “This prudent use of the software may perhaps reveal a need by Lancefly to maintain its exercise below the radar.”

Symantec’s discovery comes a few months soon after menace researchers at EclecticIQ shed light-weight on a new Dark Pink campaign targeting govt entities in ASEAN (Association of Southeast Asian Nations) countries.