For at least three years, an advanced persistent threat (APT) actor has been targeting government organizations in South and Southeast Asia for intelligence gathering, Symantec reports.
Dubbed Lancefly, the APT has been actively targeting government organizations in the region since 2020, but also hit communications and technology organizations between 2020 and 2021, and entities in the aviation, education, and telecoms sectors since mid-2022.
Since 2020, the group has been relying on the Merdoor backdoor in its attacks, deploying it via phishing, SSH brute forcing, and vulnerable public-facing assets. The observed attacks are highly targeted, suggesting that the group has been focused on remaining under the radar.
Around since at least 2018, Merdoor is injected into legitimate processes using a dropper, which was seen abusing older versions of legitimate applications from McAfee, Sophos, Google, Avast, and Norton for DLL sideloading
On the infected machine, the backdoor installs itself as a service. It includes multiple command-and-control (C&C) communication methods, listens to local ports to receive commands, and has keylogging capabilities.
As part of the analyzed Lancefly attacks, victim credentials were stolen by dumping the memory of a process, the SAM and SYSTEM registry hives, and LSASS memory.
In addition to Merdoor, the APT was also seen using tools such as Impacket Atexec, WinRAR, LSASS Dumper, NBTScan, and the Blackloader and Prcloader loaders, as well as an updated version of the ZXShell rootkit.
The rootkit was first detailed in 2014 and its source code has been publicly available for years. Some of the observed rootkit samples, Symantec notes, include an embedded variant of the ZXShell backdoor.
The ZXShell rootkit variant used in Lancefly attacks shows possible links to Chinese threat actors such as APT41 (aka Blackfly/Grayfly), via the signing certificate, and Iron Tiger (aka Budworm/APT27), via files used by a loader component.
Iron Tiger, Symantec explains, used the same files to load the PlugX RAT, which Lancefly relies on as well. Furthermore, the APT also uses the ShadowPad RAT.
According to Symantec, while these links may suggest affiliation to other APTs, they are not conclusive, especially since Chinese threat actors are known to share tools.
“While these overlaps and shared tools may indicate some links between Lancefly activity and activity by other APT groups, none of the overlaps are strong enough to attribute this activity and the development of the Merdoor backdoor to an already-known attack group,” Symantec concludes.
Related: Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
Related: Over 200 Organizations Targeted in Chinese Cyberespionage Campaign
