uTalk

thrive

Member

Registered: 2023-01-04

Posts: 1,985

Powerful Backdoor and Custom Implant Found by Researchers in Year-Long

As part of a highly-targeted campaign that started in mid-2022 and continued into the first quarter of 2023, a new hacking group has begun to target the government, aviation, education, and telecom sectors in South and Southeast Asia.

Under the insect-themed alias Lancefly, Broadcom Software's Symantec is monitoring the activity. The attacks make use of a "powerful" backdoor called Merdoor.

The evidence so far gathered suggests that the custom implant was used as early as 2018. Based on the available tools and the victimology pattern, it is determined that gathering intelligence is the campaign's main objective.

According to Symantec, who shared their analysis with The Hacker News, "the backdoor is used very selectively, appearing on just a few networks and a small number of machines over the years, with its use appearing to be highly targeted.".

The ZXShell rootkit has been updated, and it is available to the attackers in this campaign. ".

Although the precise initial intrusion vector used is currently unknown, it is believed to have involved the use of phishing lures, SSH brute-forcing, or the exploitation of servers that were left open to the internet.

Attack chains ultimately result in the deployment of ZXShell and Merdoor, fully functional malware that can communicate with an actor-controlled server for additional commands and log keystrokes.

ZXShell is a rootkit that has several features to harvest sensitive data from infected hosts. It was first identified by Cisco in October 2014. Various Chinese actors, including APT17 (Aurora Panda) and APT27 (also known as Budworm or Emissary Panda), have previously been connected to the use of ZXShell.

The rootkit's source code is openly accessible, so many different groups could use it, according to Symantec. "While it has more features and targets more antivirus software to disable, the new version of the rootkit used by Lancefly appears to be smaller in size. ".

The ZXShell rootkit is signed with the certificate "Wemade Entertainment Co.," which provides another Chinese connection. Ltd," which was previously identified as being connected to APT41 (also known as Winnti) by Mandiant in August 2019.

Additionally, it has been determined that Lancefly's intrusions make use of PlugX and ShadowPad, a modular malware platform that has been secretly used by numerous Chinese state-sponsored actors since 2015.

Despite this, it is also well known that Chinese state-sponsored groups frequently share certificates and other resources, which makes it challenging to attribute an attack crew to a specific known member.

Symantec stated that even though the Merdoor backdoor seems to have been around for a while, it only seems to have been used in a handful of attacks during that time. "This prudent use of the tool may be a sign that Lancefly wants to keep its activities hidden. ".