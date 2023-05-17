



Lancefly APT Group targets Southeast Asian organizations with custom-written malware

Prajeet Nair (@prajeetspeaks) •

May 16, 2023 Image: Shutterstock A hacker uses a tailor-made backdoor to target organizations operating in South and Southeast Asia. Sectors at immediate risk include government, aviation, education and telecommunications. See also: On demand | Attack Surface Management 2.0: Leverage Vulnerability Scanning and Threat Intelligence Lancefly ATP Group uses custom-written malware double Merdoor by researchers from Symantec’s Threat Hunter team. “The motivation behind previous campaigns is believed to be intelligence gathering,” the researchers said. Attackers in the latest campaign have access to an updated version of the ZXShell rootkit, capable of disabling additional antivirus software. Merdoor’s functionality includes logging keystrokes and using various methods to communicate with its command and control server, and it is able to listen for commands on a local port. The researchers found that the instances of the Merdoor backdoor are identical except for its communication method with the C2 server, service details and installation directory. They said the backdoor usually executes its code inside legitimate Windows processes perfhost.exe And svchost.exe . The Merdoor dropper is also a self-extracting archive that contains three files: a signed binary vulnerable to DLL search order hijacking, a malicious loader known as the Merdoor loader, and an encrypted file containing the final payload, which is the Merdoor backdoor. When executed, the dropper extracts the embedded files and executes a legitimate binary to load the Merdoor loader. The researchers saw the dropper using older versions of five different legitimate applications for sideloading DLLs, including McAfee SiteAdvisor, Sophos SafeStore Restore, Google Chrome Frame, Avast wsc_proxy, and Norton Identity Safe. The ZXShell rootkit used by Lancefly is signed by the “Wemade Entertainment Co. Ltd” certificate, previously associated with APT41also known as BlackFly. “It is known that Chinese APT groups, such as APT41, often share certificates with other APT groups. publicly available, it does not provide a definitive link between these two groups,” the researchers said.

