https://bit.ly/41Fkwsq - 🎯 The Lancefly APT group is employing a custom-built backdoor, dubbed Merdoor, in its latest cyber-attacks targeting organizations in South and Southeast Asia. The group has been particularly active in sectors including government, aviation, education, and telecoms. This backdoor has been used sparingly and selectively, pointing to highly targeted attacks. #CyberSecurity #APT #Lancefly 🔍 Merdoor backdoor, which has been in existence since 2018, is a powerful tool with functionalities such as installing itself as a service, keylogging, and communicating with its command-and-control (C&C) server through various methods. The backdoor is usually injected into legitimate processes perfhost.exe or svchost.exe. #Merdoor #Backdoor #CyberAttack 🚪 The initial infection vector for these attacks remains unclear. There are suggestions that SSH brute forcing and exploitation of exposed public-facing servers could be the possible infection vectors, demonstrating Lancefly's adaptability in choosing infection vectors. #InfectionVector #CyberThreat 💼 In their campaign, the attackers have used non-malware techniques for credential theft on victim machines, including PowerShell and a legitimate tool by Avast. They also used a masqueraded version of the legitimate archiving tool WinRAR for staging and encrypting files before exfiltration. #CredentialTheft #CyberDefense 🛠️ Notable attack chain tools and TTPs used by Lancefly include Impacket Atexec, suspicious SMB activity, LSSAS Dumper, NBTScan, and loaders like Blackloader and Prcloader. The attackers also employed the ZXShell rootkit, which continues to be actively developed. #AttackChain #CyberTools 🔗 While Lancefly uses tools associated with other APT groups like APT41 and APT17, the links between these groups are not definitive. The overlaps and shared tools may suggest some connections, but these are not strong enough to attribute this activity and the development of the Merdoor backdoor to a known attack group. #APTGroups #CyberIntelligence 🔔 This recent Lancefly activity is significant due to its use of the Merdoor backdoor and the highly targeted nature of these attacks. The tools used and sectors targeted indicate the attack campaign's motivation is intelligence gathering. The exposure of this activity may or may not lead to alterations in how the group carries out its activity.

Lancefly APT uses powerful Merdoor backdoor in attacks on Asian orgs

http://i.securitythinkingcap.com/Sp5kb3