• Sat. Aug 19th, 2023

Lancefly: Emerging Cyber Espionage Group with an Unknown Origin

Jul 27, 2023
Lancefly: Emerging Cyber Espionage Group
Esme Greene

According to analysts at Symantec Threat Labs, a new APT group dubbed Lancefly is using a specific backdoor called Merdoor to undertake targeted attacks against South and Southeast Asian governmental, aviation, and telecommunications firms.

How does Lancefly actually work?

Since 2018, Lancefly has been employing the covert Merdoor backdoor in precise and focused assaults, leveraging its capabilities to establish persistence, execute commands, and conduct keylogging activities on corporate networks. The primary objective behind these campaigns is suspected to be intelligence gathering.

Though the original disease vector is still unknown, Symantec scientists have found proof that Lancefly has been employing a wide range of techniques over time, including phishing emails, SSH authorization brute forcing, and taking advantage of weaknesses in open-source servers.

Once the attackers successfully infiltrate the targeted system, they discreetly inject the Merdoor backdoor via DLL Sideloading into legitimate Windows processes, enabling the malware to operate undetected.

Lancefly has been observed employing the “Atexec” feature from Impacket to instantly execute scheduled tasks on remote machines through the SMB protocol. Experts speculate that attackers utilize this feature to propagate their presence to other devices within the network or to delete output files generated by other teams.

To pilfer credentials, cybercriminals associated with Lancefly employ techniques such as offloading LSASS process memory or stealing SAM and SYSTEM registry hashes. Additionally, the group encrypts stolen files using a counterfeit version of WinRAR, extracting the data using the Merdoor backdoor.

Notably, Lancefly’s attacks have incorporated an advanced and more sophisticated iteration of the ZXShell rootkit. This upgraded version boasts enhanced features, such as delivering payloads that align with the targeted system’s architecture, executing shell code from files, and terminating processes. The rootkit shares code with the Merdoor loader through an installation and update utility, indicating a common code base utilized by Lancefly.

While researchers have been unable to definitively attribute the Lancefly group to a specific country, the employment of RAT Trojans PlugX and ShadowPad, which have been associated with multiple Chinese APT groups, establishes a connection to China.