Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023.
Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker Lancefly, with the attacks making use of a “powerful” backdoor called Merdoor.
Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering.
The attack chains ultimately lead to the deployment of ZXShell and Merdoor, a fully-featured malware that can communicate with an actor-controlled server for further commands and log keystrokes.
ZXShell, first documented by Cisco in October 2014, is a rootkit that comes with various features to harvest sensitive data from infected hosts. The use of ZXShell has been linked to various Chinese actors like APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda) in the past.
Another Chinese link comes from the fact that the ZXShell rootkit is signed by the certificate “Wemade Entertainment Co. Ltd,” which was previously reported by Mandiant in August 2019 to be associated with APT41 (aka Winnti).
Lancefly’s intrusions have also been identified as employing PlugX and its successor ShadowPad, the latter of which is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015.
That said, it’s also known that certificate and tool sharing is prevalent among Chinese state-sponsored groups, making attribution to a specific known attack crew difficult.
Source: https://thehackernews.com/
