CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Lancefly APT Targeting Asian Government Organizations for Years

A threat actor tracked as Lancefly has been targeting government organizations in South and Southeast Asia for at least three years.

For at least three years, an advanced persistent threat (APT) actor has been targeting government organizations in South and Southeast Asia for intelligence gathering, Symantec reports.

Dubbed Lancefly, the APT has been actively targeting government organizations in the region since 2020, but also hit communications and technology organizations between 2020 and 2021, and entities in the aviation, education, and telecoms sectors since mid-2022.

Since 2020, the group has been relying on the Merdoor backdoor in its attacks, deploying it via phishing, SSH brute forcing, and vulnerable public-facing assets. The observed attacks are highly targeted, suggesting that the group has been focused on remaining under the radar.

Around since at least 2018, Merdoor is injected into legitimate processes using a dropper, which was seen abusing older versions of legitimate applications from McAfee, Sophos, Google, Avast, and Norton for DLL sideloading

On the infected machine, the backdoor installs itself as a service. It includes multiple command-and-control (C&C) communication methods, listens to local ports to receive commands, and has keylogging capabilities.

As part of the analyzed Lancefly attacks, victim credentials were stolen by dumping the memory of a process, the SAM and SYSTEM registry hives, and LSASS memory.

In addition to Merdoor, the APT was also seen using tools such as Impacket Atexec, WinRAR, LSASS Dumper, NBTScan, and the Blackloader and Prcloader loaders, as well as an updated version of the ZXShell rootkit.

The rootkit was first detailed in 2014 and its source code has been publicly available for years. Some of the observed rootkit samples, Symantec notes, include an embedded variant of the ZXShell backdoor.

Advertisement. Scroll to continue reading.

The ZXShell rootkit variant used in Lancefly attacks shows possible links to Chinese threat actors such as APT41 (aka Blackfly/Grayfly), via the signing certificate, and Iron Tiger (aka Budworm/APT27), via files used by a loader component.

Iron Tiger, Symantec explains, used the same files to load the PlugX RAT, which Lancefly relies on as well. Furthermore, the APT also uses the ShadowPad RAT.

According to Symantec, while these links may suggest affiliation to other APTs, they are not conclusive, especially since Chinese threat actors are known to share tools.

“While these overlaps and shared tools may indicate some links between Lancefly activity and activity by other APT groups, none of the overlaps are strong enough to attribute this activity and the development of the Merdoor backdoor to an already-known attack group,” Symantec concludes.

Related: Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks

Related: Over 200 Organizations Targeted in Chinese Cyberespionage Campaign

Related: EU Organizations Warned of Chinese APT Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.