
Researchers have found that the Lancefly APT group is using a custom-written backdoor known as Merdoor in attacks targeting organizations in South and Southeast Asia as part of a long-running campaign.
Merdoor is a fully-featured backdoor that supports multiple capabilities, like installing itself as a service, keylogging, a variety of methods to communicate with its C2 server, and the ability to listen on a local port for commands.
Merdoor differs for the embedded and encrypted configuration, which includes the C2 communication method, service details, and the installation directory. It is injected into the legitimate processes perfhost.exe or svchost.exe.
The Merdoor dropper spread as a self-extracting RAR (SFX) that contains three files, a legitimate and signed binary vulnerable to DLL search-order hijacking, a malicious loader (Merdoor loader), and an encrypted file (.pak) containing final payload (Merdoor backdoor).
In the recent attacks, the APT group likely used phishing lures, SSH brute-forcing, or the exploitation of exposed public-facing servers.
Lancefly APT used multiple non-malware techniques for credential theft on victim machines, including
- PowerShell was used to launch rundll32.exe in order to dump the memory of a process using the MiniDump function of comsvcs.dll.
- Reg.exe was used to dump the SAM and SYSTEM registry hives.
- A legitimate tool by Avast was installed by the attackers and used to dump LSASS memory
The group was spotted using a masqueraded version of WinRAR to stage and encrypt files before exfiltration.
Researchers noticed that the ZXShell rootkit used by Lancefly APT group is signed by the certificate “Wemade Entertainment Co. Ltd”, which was used by the China-linked APT41. The ZXShell backdoor has also previously been used by the APT17 group, but the source code of ZXShell is now publicly available.
Lancefly was also observed using both PlugX and ShadowPad backdoors, which is associated with China-linked APT groups.
This research was documented by researchers from Symantec
Indicators of Compromise
- 13df2d19f6d2719beeff3b882df1d3c9131a292cf097b27a0ffca5f45e139581
- 8f64c25ba85f8b77cfba3701bebde119f610afef6d9a5965a3ed51a4a4b9dead
- 8e98eed2ec14621feda75e07379650c05ce509113ea8d949b7367ce00fc7cd38
- 89e503c2db245a3db713661d491807aab3d7621c6aff00766bc6add892411ddc
- c840e3cae2d280ff0b36eec2bf86ad35051906e484904136f0e478aa423d7744
- 5f16633dbf4e6ccf0b1d844b8ddfd56258dd6a2d1e4fb4641e2aa508d12a5075
- ff4c2a91a97859de316b434c8d0cd5a31acb82be8c62b2df6e78c47f85e57740
- 14edb3de511a6dc896181d3a1bc87d1b5c443e6aea9eeae70dbca042a426fcf3
- db5deded638829654fc1595327400ed2379c4a43e171870cfc0b5f015fad3a03
- e244d1ef975fcebb529f0590acf4e7a0a91e7958722a9f2f5c5c05a23dda1d2c
- f76e001a7ccf30af0706c9639ad3522fd8344ffbdf324307d8e82c5d52d350f2
- dc182a0f39c5bb1c3a7ae259f06f338bb3d51a03e5b42903854cdc51d06fced6
- fa5f32457d0ac4ec0a7e69464b57144c257a55e6367ff9410cf7d77ac5b20949
- fe7a6954e18feddeeb6fcdaaa8ac9248c8185703c2505d7f249b03d8d8897104
- 341d8274cc1c53191458c8bbc746f428856295f86a61ab96c56cd97ee8736200
- f3478ccd0e417f0dc3ba1d7d448be8725193a1e69f884a36a8c97006bf0aa0f4
- 750b541a5f43b0332ac32ec04329156157bf920f6a992113a140baab15fa4bd3
- 9f00cee1360a2035133e5b4568e890642eb556edd7c2e2f5600cf6e0bdcd5774
- a9051dc5e6c06a8904bd8c82cdd6e6bd300994544af2eed72fe82df5f3336fc0
- d62596889938442c34f9132c9587d1f35329925e011465c48c94aa4657c056c7
- f0003e08c34f4f419c3304a2f87f10c514c2ade2c90a830b12fdf31d81b0af57
- 139c39e0dc8f8f4eb9b25b20669b4f30ffcbe2197e3a9f69d0043107d06a2cb4
- 11bb47cb7e51f5b7c42ce26cbff25c2728fa1163420f308a8b2045103978caf5
- 0abc1d12ef612490e37eedb1dd1833450b383349f13ddd3380b45f7aaabc8a75
- eb3b4e82ddfdb118d700a853587c9589c93879f62f576e104a62bdaa5a338d7b
- 1ab4f52ff4e4f3aa992a77d0d36d52e796999d6fc1a109b9ae092a5d7492b7dd
- fae713e25b667f1c42ebbea239f7b1e13ba5dc99b225251a82e65608b3710be7
- 1f09d177c99d429ae440393ac9835183d6fd1f1af596089cc01b68021e2e29a7
- 180970fce4a226de05df6d22339dd4ae03dfd5e451dcf2d464b663e86c824b8e
- a6020794bd6749e0765966cd65ca6d5511581f47cc2b38e41cb1e7fddaa0b221
- 592e237925243cf65d30a0c95c91733db593da64c96281b70917a038da9156ae
- 929b771eabef5aa9e3fba8b6249a8796146a3a4febfd4e992d99327e533f9798
- 009d8d1594e9c8bc40a95590287f373776a62dad213963662da8c859a10ef3b4
- ef08f376128b7afcd7912f67e2a90513626e2081fe9f93146983eb913c50c3a8
- ee486e93f091a7ef98ee7e19562838565f3358caeff8f7d99c29a7e8c0286b28
- 32d837a4a32618cc9fc1386f0f74ecf526b16b6d9ab6c5f90fb5158012fe2f8c
- d5df686bb202279ab56295252650b2c7c24f350d1a87a8a699f6034a8c0dd849
- a1f9b76ddfdafc47d4a63a04313c577c0c2ffc6202083422b52a00803fd8193d
- 3ce38a2fc896b75c2f605c135297c4e0cddc9d93fc5b53fe0b92360781b5b94e
- 210934a2cc59e1f5af39aa5a18aae1d8c5da95d1a8f34c9cfc3ab42ecd37ac92
- 530c7d705d426ed61c6be85a3b2b49fd7b839e27f3af60eb16c5616827a2a436
- 5018fe25b7eac7dd7bc30c7747820e3c1649b537f11dbaa9ce6b788b361133bf
- efa9e9e5da6fba14cb60cba5dbd3f180cb8f2bd153ca78bbacd03c270aefd894
- a5a4dacddfc07ec9051fb7914a19f65c58aad44bbd3740d7b2b995262bd0c09e
- 10b96290a17511ee7a772fcc254077f62a8045753129d73f0804f3da577d2793
- 0dcfcdf92e85191de192b4478aba039cb1e1041b1ae7764555307e257aa566a7
- 415f9dc11fe242b7a548be09a51a42a4b5c0f9bc5c32aeffe7a98940b9c7fc04
- 947f7355aa6068ae38df876b2847d99a6ca458d67652e3f1486b6233db336088
- 8d77fe4370c864167c1a712d0cc8fe124b10bd9d157ea59db58b42dea5007b63
- d8cc2dc0a96126d71ed1fce73017d5b7c91465ccd4cdcff71712381af788c16d
- e94a5bd23da1c6b4b8aec43314d4e5346178abe0584a43fa4a204f4a3f7464b9
- 5655a2981fa4821fe09c997c84839c16d582d65243c782f45e14c96a977c594e
- 19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169
- 41d174514ed71267aaff578340ff83ef00dbb07cb644d2b1302a18aa1ca5d2d0
- 67ebc03e4fbf1854a403ea1a3c6d9b19fd9dc2ae24c7048aafbbff76f1bea675
- f92cac1121271c2e55b34d4e493cb64cdb0d4626ee30dc77016eb7021bf63414
- 859e76b6cda203e84a7b234c5cba169a7a02bf028a5b75e2ca8f1a35c4884065
- fcdec9d9b195b8ed827fb46f1530502816fe6a04b1f5e740fda2b126df2d9fd5
- 9584df964369c1141f9fc234c64253d8baeb9d7e3739b157db5f3607292787f2
- 711a347708e6d94da01e4ee3b6cdb9bcc96ebd8d95f35a14e1b67def2271b2e9
- f040a173b954cdeadede3203a2021093b0458ed23727f849fc4c2676c67e25db
- 90edb2c7c3ba86fecc90e80ac339a42bd89fbaa3f07d96d68835725b2e9de3ba
- b0d25b06e59b4cca93e40992fa0c0f36576364fcf1aca99160fd2a1faa5677a2
- 4c55f48b37f3e4b83b6757109b6ee0a661876b41428345239007882993127397
- 3e1c8d982b1257471ab1660b40112adf54f762c570091496b8623b0082840e9f
- 9830f6abec64b276c9f327cf7c6817ad474b66ea61e4adcb8f914b324da46627
- 79ae300ac4f1bc7636fe44ce2faa7e5556493f7013fc5c0a3863f28df86a2060