Merdoor Backdoor Exploits Agencies By The Lancefly APT

By   Olivia William
Writer , Information Security Buzz | May 15, 2023 01:56 pm PST

South and Southeast Asian government, airline, and telecom institutions have been targeted by a new APT hacking outfit called Lancefly, which employs a variant of the ‘Merdoor’ backdoor malware.

Symantec Threat Labs announced today that Lancefly has been using the stealthy Merdoor backdoor in targeted attacks against businesses since 2018. This allows the attackers to remain persistent, issue instructions, and collect keystroke data.

According to the latest Symantec research, “Lancefly’s bespoke malware, which we have termed Merdoor, is a formidable backdoor that looks to have existed since 2018.

Researchers at Symantec saw it in action in 2020 and 2021, and this latest campaign carried on until the first quarter of 2023. Intelligence gathering is assumed to be the driving force behind both of these efforts.

According to experts, Lancefly is primarily interested in cyber-espionage and plans to spend a long time gathering data from the networks of its victims.

The primary infection vector utilized by Lancefly has not yet been found by Symantec. However, over time, it has discovered evidence that the threat organization exploits public-facing server vulnerabilities, SSH credentials, and phishing emails to gain unauthorized access.

After gaining access to the victim’s machine, attackers inject the Merdoor backdoor through DLL side-loading into either ‘perfhost.exe’ or’svchost.exe,’ both of which are legal Windows processes that the malware can use to avoid detection.

By installing itself as a service that stays in place even after a system reboot, Merdoor makes it easier for Lancefly to keep a footing on the victim’s machine.

Merdoor connects to the C2 server through one of the several available protocols (HTTP, HTTPS, DNS, UDP, and TCP) and waits for commands.

Symantec’s experts have not offered any examples. However, Merdoor can take commands via listening on local ports in addition to facilitating data interchange with the C2 server.

The keystrokes of the user are also recorded by the backdoor, which could be used to steal sensitive data.

SMB traffic analysis has revealed that Lancefly makes use of the ‘Atexec’ capability of Impacket to quickly launch a predetermined task on a remote machine. It is thought that the threat actors are utilizing this function to either remove output files generated by other commands or to afterward spread to other devices on the network.

Attackers try to get their hands on credentials by stealing them from the SAM and SYSTEM registry hives or dumping the memory of the LSASS process. Finally, Lancefly uses a fake version of the popular WinRAR archiver to encrypt stolen files before removing them, perhaps with Merdoor.

It was also discovered that the ZXShell rootkit was being used in Lancefly assaults, but a newer, lighter, and more feature-rich version was being used.

“FormDII.dll,” the rootkit’s loader, exports features that can be used to drop payloads tailored to the host’s system architecture, read and execute shellcode from a file, terminate processes, and more.

Lancefly’s use of code reuse is evident in the fact that the rootkit relies on an update and installation tool that shares code with the Merdoor loader.

ZXShell can be installed with features that allow it to create, hijack, and run services; modify the registry; and compress a copy of its executable for hiding and protection.

Lancefly shares certain similarities with other Chinese APT groups, like APT17 and APT41, due to their usage of the ZXShell rootkit. The rootkit’s source code has been freely available for years, though, making the connection weak.

The rootkit loader for Lancefly has been reported before in an APT27, called “Budworm,” campaign under the name “formdll.dll.” It is not apparent, however, if this was done on purpose to throw off analysts and make attribution more difficult.

The use of the PlugX and ShadowPad RATs (remote access trojans), which are shared by multiple Chinese APT organizations, lends support to the theory that Lancefly originated in China.


Organizations in South and Southeast Asia have been the target of attacks by the advanced persistent threat (APT) group Lancefly, which has been seen using a custom-written backdoor in their operations. New information from Symantec’s Threat Hunter Team indicates that these attacks have been going on for years. According to a warning released by the company earlier today, “Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018.” Researchers at Symantec noticed its use in a campaign that began in the first quarter of 2023 and persisted through the first half of that year. Intelligence gathering is assumed to be the driving force behind both of these efforts.

Research intelligence-gathering organizations more thoroughly by reading: Cranefly Attackers Employ Covert Methods to Spread Malware Symantec stated that the backdoor has only been seen on a small number of networks and PCs over the years, suggesting that it has been used selectively. An upgraded version of the ZXShell rootkit would also be available to the attackers in this campaign. The most current effort, which Symantec says began in the middle of 2022 and will continue into 2023, is focused on South and Southeast Asian targets in the governmental, aviation, educational, and telecommunications sectors, among others.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x