Stealthy MerDoor malware uncovered after five years of attacks

A new APT hacking group dubbed Lancefly uses a custom ‘Merdoor’ backdoor malware to target government, aviation, and telecommunication organizations in South and Southeast Asia.

The Symantec Threat Labs revealed today that Lancefly has been deploying the stealthy Merdoor backdoor in highly targeted attacks since 2018 to establish persistence, execute commands, and perform keylogging on corporate networks.

“Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018,” reveals the new Symantec report.

“Symantec researchers observed it being used in some activity in 2020 and 2021, as well as this more recent campaign, which continued into the first quarter of 2023. The motivation behind both these campaigns is believed to be intelligence gathering.”

Lancefly is believed to focus on cyber-espionage, aiming to collect intelligence from its victims’ networks over extensive periods.

A wide attack chain

Symantec hasn’t discovered the initial infection vector used by Lancefly. However, it has found evidence that the threat group uses phishing emails, SSH credentials brute forcing, and public-facing server vulnerabilities exploitation for unauthorized access over the years.

Once the attackers establish a presence on the target’s system, they inject the Merdoor backdoor via DLL side-loading into either ‘perfhost.exe’ or ‘svchost.exe,’ both legitimate Windows processes that help the malware evade detection.

Legitimate apps used for sideloading Merdoor
Legitimate software used for side-loading Merdoor (Symantec)

Merdoor helps Lancefly maintain their access and foothold on the victim’s system, installing itself as a service that persists between reboots.

Merdoor then establishes communications with the C2 server using one of the several supported communication protocols (HTTP, HTTPS, DNS, UDP, and TCP) and waits for instructions.

Apart from supporting data exchange with the C2 server, Merdoor can also accept commands by listening to local ports; however, Symantec’s analysts have not provided any specific examples.

The backdoor also records user keystrokes to capture potentially valuable information such as usernames, passwords, or other secrets.

Lancefly has also been observed using Impacket’s ‘Atexec’ feature to immediately execute a scheduled task on a remote machine via SMB. It is believed that the threat actors are using this feature to spread laterally to other devices on the network or delete output files created from other commands.

The attackers attempt to steal credentials by dumping the LSASS process’s memory or stealing the SAM and SYSTEM registry hives.

Finally, Lancefly encrypts stolen files using a masqueraded version of the WinRAR archiving tool and then exfiltrates the data, most likely using Merdoor.

ZXShell rootkit

The use of a newer, lighter, and more feature-rich version of the ZXShell rootkit was also observed in Lancefly attacks.

The rootkit’s loader, “FormDII.dll,” exports functions that can be used to drop payloads that match the host’s system architecture, read and execute shellcode from a file, kill processes, and more.

The rootkit also uses an installation and updating utility that shares common code with the Merdoor loader, indicating that Lancefly uses a shared codebase for their tools.

ZXShell’s installation functionality supports service creation, hijacking, and launching, registry modification, and compressing a copy of its own executable for evasion and resilience.

Links to China

The ZXShell rootkit loosely connects Lancefly to other Chinese APT groups that have used the tool in attacks, including APT17 and APT41.

However, the link is weak because the rootkit’s source code has been publicly available for several years.

Lancefly’s “formdll.dll” name for the rootkit loader has been previously reported in a campaign of APT27, aka “Budworm.”

However, it is unclear if this is a purposeful choice to misdirect analysts and make attribution harder.

An element that further backs the hypothesis of Lancefly being of Chinese origin is the observed use of the PlugX and ShadowPad RATs (remote access trojans), which are shared among several Chinese APT groups.


(c) Bill Toulas