Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign
Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023.
Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker Lancefly, with the attacks making use of a “powerful” backdoor called Merdoor.
Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering.
“The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted,” Symantec said in an analysis shared with The Hacker News.
“The attackers in this campaign also have access to an updated version of the ZXShell rootkit.”
While the exact initial intrusion vector used is currently not clear, it’s suspected to have involved the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers.
The attack chains ultimately lead to the deployment of ZXShell and Merdoor, a fully-featured malware that can communicate with an actor-controlled server for further commands and log keystrokes.
ZXShell, first documented by Cisco in October 2014, is a rootkit that comes with various features to harvest sensitive data from infected hosts. The use of ZXShell has been linked to various Chinese actors like APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda) in the past.
“The source code of this rootkit is publicly available so it may be used by multiple different groups,” Symantec said. “The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable.”
Another Chinese link comes from the fact that the ZXShell rootkit is signed by the certificate “Wemade Entertainment Co. Ltd,” which was previously reported by Mandiant in August 2019 to be associated with APT41 (aka Winnti).
Lancefly’s intrusions have also been identified as employing PlugX and its successor ShadowPad, the latter of which is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015.
That said, it’s also known that certificate and tool sharing is prevalent among Chinese state-sponsored groups, making attribution to a specific known attack crew difficult.
“While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period,” Symantec noted. “This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar.”