Since at least 2020, the Lancefly APT (Advanced Persistent Threat) group has been actively targeting government organizations in South and Southeast Asia, as reported by Symantec. The group has also hit communications, technology, aviation, education, and telecom sectors, employing the Merdoor backdoor to gain access. Their attacks are highly targeted, indicating their focus on remaining under the radar.
The Merdoor backdoor is injected into legitimate processes via a dropper, which abuses outdated versions of legitimate McAfee, Sophos, Google, Avast, and Norton applications. On the infected machine, the backdoor installs itself as a service, allowing multiple command-and-control (C&C) communication methods, keylogging, and listening to local ports for commands.
Additionally, the APT was found using other tools such as Impacket Atexec, NBTScan, WinRAR, LSASS Dumper, Blackloader, Prcloader loaders, an updated version of the ZXShell rootkit, and PlugX RAT. The updated version of the ZXShell rootkit variant used in their attacks shows possible links to Chinese threat actors such as APT41 (aka Blackfly/Grayfly), and Iron Tiger (aka Budworm/APT27).
While these overlaps and shared tools may indicate some links between Lancefly activity and activity by other APT groups, there is not enough conclusive evidence to attribute this activity and the development of the Merdoor backdoor to an already-known attack group.
The Lancefly APT group has been conducting these attacks for at least three years, suggesting the need for a heightened awareness and proactive security measures by the targeted organizations. This report highlights the persistent need for increased vigilance and prioritized investment in building modern and robust IT systems and cybersecurity measures in governmental institutions and private organizations alike.
<< photo by Lewis Kang’ethe Ngugi >>
