Stealthy and Targeted Attacks Against Southern Asian Organizations from Lancefly

Category: Threat Actor Activity | Industries: Aviation, Communication, Education, Government, Technology, Telecommunications | Source: Symantec

"Merdoor" a highly sophisticated malware backdoor, has been utilized by an advanced persistent threat (APT) group Lancefly, targeting organizations in South and Southeast Asia since mid-2022, with campaigns extending into early 2023. Symantec researchers shed insight on the APT group, noting their campaigns are conducted with the goal of "intelligence gathering," and the deployment of their Merdoor malware "is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted." Merdoor is capable of receiving and executing commands from the attacker's command and control, keylogging, and sideloading with at least "five different legitimate applications." Lancefly has aimed its attacks at sectors such as aviation, communications, education, government, technology, and telecommunications.

While Lancefly has demonstrated the ability to adapt its tactics for initial infection, Symantec has surmised in one of their recent campaigns, the operators gained access by forcing SSH against a government entity. In another campaign, they appeared to exploit a public-facing server leading to the compromise of a load balancer. An exorbitant amount of tactics techniques and procedures have been demonstrated by the group. The assortment of credential access tools used from Lancefly includes the usage of Mimidump to dump comsvcs.dll, dumping credentials stored in the registry, and the abuse of a legitimate Avast tool to dump LSASS memory. Other notable techniques include the process injection with mavinject.exe, moving laterally using SMB and Impacket, and data collection with WinRAR which masqueraded as wmiprvse.exe. Lancefly's usage of publicly available ZXShell Rootkit malware was also found to be enhanced with new capabilities.

No attribution has been made with Lancefly to other threat groups however, their use of a sample of ZXShell with a signed certificate from "Wemade Entertainment Co. Ltd," suggests a potential link with the Chinese APT group, APT41. A link to another Chinese threat group, Threat Group-3390 was made based on the same filenames deployed from a ZXShell rootkit loader component. Despite no specific attribution, Symantec is confident the threat actors operate with the goal of intelligence gathering and their limited but targeted stretch of activity demonstrates their ability to operate under the radar.

Anvilogic Scenario:

• Injected Process Abuses SMB OR Dumps Credentials

Anvilogic Use Cases:

• SSH Brute Force detection
• comsvcs.dll Lsass Memory Dump
• Potential Lateral Movement via SMB

‍