uTalk

As part of a highly-targeted campaign that started in mid-2022 and continued into the first quarter of 2023, a new hacking group has begun to target the government, aviation, education, and telecom sectors in South and Southeast Asia.

Under the insect-themed alias Lancefly, Broadcom Software's Symantec is monitoring the activity. The attacks make use of a "powerful" backdoor called Merdoor.

The evidence so far gathered suggests that the custom implant was used as early as 2018. Based on the available tools and the victimology pattern, it is determined that gathering intelligence is the campaign's main objective.

According to Symantec, who shared their analysis with The Hacker News, "the backdoor is used very selectively, appearing on just a few networks and a small number of machines over the years, with its use appearing to be highly targeted.".

The ZXShell rootkit has been updated, and it is available to the attackers in this campaign. ".

Although the precise initial intrusion vector used is currently unknown, it is believed to have involved the use of phishing lures, SSH brute-forcing, or the exploitation of servers that were left open to the internet.

Attack chains ultimately result in the deployment of ZXShell and Merdoor, fully functional malware that can communicate with an actor-controlled server for additional commands and log keystrokes.

ZXShell is a rootkit that has several features to harvest sensitive data from infected hosts. It was first identified by Cisco in October 2014. Various Chinese actors, including APT17 (Aurora Panda) and APT27 (also known as Budworm or Emissary Panda), have previously been connected to the use of ZXShell.

The rootkit's source code is openly accessible, so many different groups could use it, according to Symantec. "While it has more features and targets more antivirus software to disable, the new version of the rootkit used by Lancefly appears to be smaller in size. ".

The ZXShell rootkit is signed with the certificate "Wemade Entertainment Co.," which provides another Chinese connection. Ltd," which was previously identified as being connected to APT41 (also known as Winnti) by Mandiant in August 2019.

Additionally, it has been determined that Lancefly's intrusions make use of PlugX and ShadowPad, a modular malware platform that has been secretly used by numerous Chinese state-sponsored actors since 2015.

Despite this, it is also well known that Chinese state-sponsored groups frequently share certificates and other resources, which makes it challenging to attribute an attack crew to a specific known member.

Symantec stated that even though the Merdoor backdoor seems to have been around for a while, it only seems to have been used in a handful of attacks during that time. "This prudent use of the tool may be a sign that Lancefly wants to keep its activities hidden. ".

Since at least mid-2022, cybercriminals have been using a new phishing-as-a-service (PhaaS or PaaS) platform called Greatness to target business users of the Microsoft 365 cloud service, effectively lowering the barrier to entry for phishing attacks.

"Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates extremely convincing decoy and login pages," said Cisco Talos researcher Tiago Pereira.

It has elements like pre-filling the victim's email address and showing their appropriate company logo and background image, which were taken from the target organization's actual Microsoft 365 login page, among other things. ".

Manufacturing, healthcare, and technology companies with U.S. locations predominately participate in campaigns for Greatness. S. , the U. K. , Australia, South Africa, Canada, and Australia, with a December 2022 and March 2023 activity peak.

Phishing kits like Greatness provide threat actors—whether experienced or inexperienced—with a convenient one-stop shop that is affordable and scalable, enabling them to create convincing login pages for a variety of online services and get around two-factor authentication (2FA) security measures.

The decoy pages, in particular, act as a reverse proxy to collect login information and time-based one-time passwords (TOTPs) supplied by the victims.
Attack chains start with malicious emails that include an HTML attachment. When opened, the HTML file executes obfuscated JavaScript code that directs the user to a landing page with the recipient's email address pre-filled and requests their password and MFA code.

In order to gain unauthorized access to the accounts in question, the entered credentials and tokens are then sent to the affiliate's Telegram channel.

Additionally, the AiTM phishing kit includes an administration panel that enables the affiliate to customize the Telegram bot, monitor data breaches, and even create malicious attachments and links.

Additionally, in order to load the phishing page, each affiliate is required to have a current API key. The API key also enables behind-the-scenes communication with the genuine Microsoft 365 login page by posing as the victim and preventing unwanted IP addresses from viewing the phishing page.
Together, the phishing kit and the API carry out a "man-in-the-middle" attack by asking the victim for information, which the API will then transmit in real time to the authentic login page, according to Pereira.

"If the victim employs MFA, this enables the PaaS affiliate to steal both the victim's username and password as well as the authenticated session cookies. ".

The findings coincide with Microsoft's implementation of number matching in Microsoft Authenticator push notifications starting on May 8, 2023, in order to strengthen 2FA security and thwart prompt bombing attacks.

According to a technical report released this week by cybersecurity company Deep Instinct, a previously unreported and largely undetected variation of a Linux backdoor known as BPFDoor has been discovered in the wild.

With this most recent version, security researchers Shaul Vilkomir-Preisman and Eliran Nissan said that BPFDoor "retains its reputation as an extremely stealthy and difficult-to-detect malware.".

The Chinese threat actor Red Menshen (also known as DecisiveArchitect or Red Dev 18), who has been known to target telecom providers in the Middle East and Asia since at least 2021, is linked to the passive Linux backdoor known as BPFDoor (also known as JustForFun), which was first discovered by PwC and Elastic Security Labs in May 2022.

Evidence suggests that the hacking group operated the backdoor undetected for years. The malware is specifically designed to establish persistent remote access to compromised target environments for extended periods of time.

Berkeley Packet Filters (BPF), a technology that allows Linux systems to analyze and filter network traffic, are used by BPFDoor to process incoming commands and conduct network communications.

Threat actors are able to enter a victim's system in this way, filter out unnecessary data, and execute arbitrary code without being noticed by firewalls.

The information from Deep Instinct is based on a BPFDoor artifact that was published on VirusTotal on February 8, 2023. Only three security vendors have labeled the ELF binary as malicious as of this writing.

The removal of many hard-coded indicators and the replacement of them with a static encryption library (libtomcrypt) and a reverse shell for command-and-control (C2) communication are two important features that make the new version of BPFDoor even more evasive.

backdoor for Linux.
To avoid being terminated, BPFDoor is set up at launch to disregard a number of operating system signals. Then, after allocating a memory buffer, it creates a special socket for packet sniffing that attaches a BPF filter to the raw socket and watches for incoming traffic with a particular Magic Byte sequence.

According to the researchers, "BPFdoor will treat a packet containing its Magic Bytes in the filtered traffic as a message from its operator, parse out two fields, and fork itself once more.".

The child process will attempt to contact the parent process by treating the previously parsed fields as a command-and-control IP-Port combination while the parent process will continue to monitor the filtered traffic passing through the socket. ".