December 9, 2023

Researchers have found that the Lancefly APT group is using a custom-written backdoor known as Merdoor in attacks targeting organizations in South and Southeast Asia as part of a long-running campaign.

Merdoor is a fully-featured backdoor that supports multiple capabilities, like installing itself as a service, keylogging, a variety of methods to communicate with its C2 server, and the ability to listen on a local port for commands.

Merdoor differs for the embedded and encrypted configuration, which includes the C2 communication method, service details, and the installation directory. It is injected into the legitimate processes perfhost.exe or svchost.exe.

Advertisements

The Merdoor dropper spread as a self-extracting RAR (SFX) that contains three files, a legitimate and signed binary vulnerable to DLL search-order hijacking, a malicious loader (Merdoor loader), and an encrypted file (.pak) containing final payload (Merdoor backdoor).

In the recent attacks, the APT group likely used phishing lures, SSH brute-forcing, or the exploitation of exposed public-facing servers.

Lancefly APT used multiple non-malware techniques for credential theft on victim machines, including

  • PowerShell was used to launch rundll32.exe in order to dump the memory of a process using the MiniDump function of comsvcs.dll.
  • Reg.exe was used to dump the SAM and SYSTEM registry hives.
  • A legitimate tool by Avast was installed by the attackers and used to dump LSASS memory

The group was spotted using a masqueraded version of WinRAR to stage and encrypt files before exfiltration.

Researchers noticed that the ZXShell rootkit used by Lancefly APT group is signed by the certificate “Wemade Entertainment Co. Ltd”, which was used by the China-linked APT41. The ZXShell backdoor has also previously been used by the APT17 group, but the source code of ZXShell is now publicly available.

Advertisements

Lancefly was also observed using both PlugX  and  ShadowPad backdoors, which is associated with China-linked APT groups.

This research was documented by researchers from Symantec

Indicators of Compromise

  • 13df2d19f6d2719beeff3b882df1d3c9131a292cf097b27a0ffca5f45e139581
  • 8f64c25ba85f8b77cfba3701bebde119f610afef6d9a5965a3ed51a4a4b9dead
  • 8e98eed2ec14621feda75e07379650c05ce509113ea8d949b7367ce00fc7cd38
  • 89e503c2db245a3db713661d491807aab3d7621c6aff00766bc6add892411ddc
  • c840e3cae2d280ff0b36eec2bf86ad35051906e484904136f0e478aa423d7744
  • 5f16633dbf4e6ccf0b1d844b8ddfd56258dd6a2d1e4fb4641e2aa508d12a5075
  • ff4c2a91a97859de316b434c8d0cd5a31acb82be8c62b2df6e78c47f85e57740
  • 14edb3de511a6dc896181d3a1bc87d1b5c443e6aea9eeae70dbca042a426fcf3
  • db5deded638829654fc1595327400ed2379c4a43e171870cfc0b5f015fad3a03
  • e244d1ef975fcebb529f0590acf4e7a0a91e7958722a9f2f5c5c05a23dda1d2c
  • f76e001a7ccf30af0706c9639ad3522fd8344ffbdf324307d8e82c5d52d350f2
  • dc182a0f39c5bb1c3a7ae259f06f338bb3d51a03e5b42903854cdc51d06fced6
  • fa5f32457d0ac4ec0a7e69464b57144c257a55e6367ff9410cf7d77ac5b20949
  • fe7a6954e18feddeeb6fcdaaa8ac9248c8185703c2505d7f249b03d8d8897104
  • 341d8274cc1c53191458c8bbc746f428856295f86a61ab96c56cd97ee8736200
  • f3478ccd0e417f0dc3ba1d7d448be8725193a1e69f884a36a8c97006bf0aa0f4
  • 750b541a5f43b0332ac32ec04329156157bf920f6a992113a140baab15fa4bd3
  • 9f00cee1360a2035133e5b4568e890642eb556edd7c2e2f5600cf6e0bdcd5774
  • a9051dc5e6c06a8904bd8c82cdd6e6bd300994544af2eed72fe82df5f3336fc0
  • d62596889938442c34f9132c9587d1f35329925e011465c48c94aa4657c056c7
  • f0003e08c34f4f419c3304a2f87f10c514c2ade2c90a830b12fdf31d81b0af57
  • 139c39e0dc8f8f4eb9b25b20669b4f30ffcbe2197e3a9f69d0043107d06a2cb4
  • 11bb47cb7e51f5b7c42ce26cbff25c2728fa1163420f308a8b2045103978caf5
  • 0abc1d12ef612490e37eedb1dd1833450b383349f13ddd3380b45f7aaabc8a75
  • eb3b4e82ddfdb118d700a853587c9589c93879f62f576e104a62bdaa5a338d7b
  • 1ab4f52ff4e4f3aa992a77d0d36d52e796999d6fc1a109b9ae092a5d7492b7dd
  • fae713e25b667f1c42ebbea239f7b1e13ba5dc99b225251a82e65608b3710be7
  • 1f09d177c99d429ae440393ac9835183d6fd1f1af596089cc01b68021e2e29a7
  • 180970fce4a226de05df6d22339dd4ae03dfd5e451dcf2d464b663e86c824b8e
  • a6020794bd6749e0765966cd65ca6d5511581f47cc2b38e41cb1e7fddaa0b221
  • 592e237925243cf65d30a0c95c91733db593da64c96281b70917a038da9156ae
  • 929b771eabef5aa9e3fba8b6249a8796146a3a4febfd4e992d99327e533f9798
  • 009d8d1594e9c8bc40a95590287f373776a62dad213963662da8c859a10ef3b4
  • ef08f376128b7afcd7912f67e2a90513626e2081fe9f93146983eb913c50c3a8
  • ee486e93f091a7ef98ee7e19562838565f3358caeff8f7d99c29a7e8c0286b28
  • 32d837a4a32618cc9fc1386f0f74ecf526b16b6d9ab6c5f90fb5158012fe2f8c
  • d5df686bb202279ab56295252650b2c7c24f350d1a87a8a699f6034a8c0dd849
  • a1f9b76ddfdafc47d4a63a04313c577c0c2ffc6202083422b52a00803fd8193d
  • 3ce38a2fc896b75c2f605c135297c4e0cddc9d93fc5b53fe0b92360781b5b94e
  • 210934a2cc59e1f5af39aa5a18aae1d8c5da95d1a8f34c9cfc3ab42ecd37ac92
  • 530c7d705d426ed61c6be85a3b2b49fd7b839e27f3af60eb16c5616827a2a436
  • 5018fe25b7eac7dd7bc30c7747820e3c1649b537f11dbaa9ce6b788b361133bf
  • efa9e9e5da6fba14cb60cba5dbd3f180cb8f2bd153ca78bbacd03c270aefd894
  • a5a4dacddfc07ec9051fb7914a19f65c58aad44bbd3740d7b2b995262bd0c09e
  • 10b96290a17511ee7a772fcc254077f62a8045753129d73f0804f3da577d2793
  • 0dcfcdf92e85191de192b4478aba039cb1e1041b1ae7764555307e257aa566a7
  • 415f9dc11fe242b7a548be09a51a42a4b5c0f9bc5c32aeffe7a98940b9c7fc04
  • 947f7355aa6068ae38df876b2847d99a6ca458d67652e3f1486b6233db336088
  • 8d77fe4370c864167c1a712d0cc8fe124b10bd9d157ea59db58b42dea5007b63
  • d8cc2dc0a96126d71ed1fce73017d5b7c91465ccd4cdcff71712381af788c16d
  • e94a5bd23da1c6b4b8aec43314d4e5346178abe0584a43fa4a204f4a3f7464b9
  • 5655a2981fa4821fe09c997c84839c16d582d65243c782f45e14c96a977c594e
  • 19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169
  • 41d174514ed71267aaff578340ff83ef00dbb07cb644d2b1302a18aa1ca5d2d0
  • 67ebc03e4fbf1854a403ea1a3c6d9b19fd9dc2ae24c7048aafbbff76f1bea675
  • f92cac1121271c2e55b34d4e493cb64cdb0d4626ee30dc77016eb7021bf63414
  • 859e76b6cda203e84a7b234c5cba169a7a02bf028a5b75e2ca8f1a35c4884065
  • fcdec9d9b195b8ed827fb46f1530502816fe6a04b1f5e740fda2b126df2d9fd5
  • 9584df964369c1141f9fc234c64253d8baeb9d7e3739b157db5f3607292787f2
  • 711a347708e6d94da01e4ee3b6cdb9bcc96ebd8d95f35a14e1b67def2271b2e9
  • f040a173b954cdeadede3203a2021093b0458ed23727f849fc4c2676c67e25db
  • 90edb2c7c3ba86fecc90e80ac339a42bd89fbaa3f07d96d68835725b2e9de3ba
  • b0d25b06e59b4cca93e40992fa0c0f36576364fcf1aca99160fd2a1faa5677a2
  • 4c55f48b37f3e4b83b6757109b6ee0a661876b41428345239007882993127397
  • 3e1c8d982b1257471ab1660b40112adf54f762c570091496b8623b0082840e9f
  • 9830f6abec64b276c9f327cf7c6817ad474b66ea61e4adcb8f914b324da46627
  • 79ae300ac4f1bc7636fe44ce2faa7e5556493f7013fc5c0a3863f28df86a2060
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Apache Struts fixes Critical Vulnerability – CVE-2023-50164

December 8, 2023

Meta enables Messenger with E2EE by Default

December 8, 2023 2

CISA KEV Update Part II – December 2023

December 7, 2023

Atlassian fixes critical RCE vulnerabilities in its products

December 6, 2023

Microsoft Echo’s on APT 28 exploiting CVE-2023-23397

December 5, 2023

Papercut Privilege Escalation Vulnerability Unearthed

December 5, 2023
%d