Merdoor – A Custom Backdoor Used by Lancefly APT to Target Government Organizations

Recent observations show the use of a unique Merdoor backdoor by a hacking group known as Lancefly APT to attack companies in the government, telecom, and aviation sectors.

Background:

The most recent findings indicate that these targeted intrusions are part of an adversary effort that has been using the Merdoor sample for a long time, with the earliest traces going back to 2018. In their attempt to gather information from affected individuals, Lancefly threat actors, according to a Symantec analysis, primarily concentrate on cyber-espionage operations. The malware is a self-extracting archive that can install itself as a service, carry out keylogging, and communicate with C2 servers through various channels.

Attack Chain

The initial infection vector that Lancefly employed has not been found by Symantec. However, it has discovered proof that the threat group has been using public-facing server vulnerabilities and phishing emails for years to gain unauthorized access. Once the attackers have gained access to the target machine, they inject the Merdoor backdoor into one of two legitimate Windows processes—’perfhost.exe’ or ‘svchost.exe,’ both of which aid the malware in evading detection—by using DLL side-loading.

Legitimate binary	Version	Date signed	Loader (Merdoor loader)	Encrypted payload (Merdoor backdoor)
SiteAdv.exe (McAfee SiteAdvisor)	1.6.0.23	08/10/2006	SiteAdv.dll	SiteAdv.pak
ssr32.exe (Sophos SafeStore Restore)	1.3.0.1	11/17/2017	safestore32.dll	safestore.pak
chrome_frame_helper.exe (Google Chrome Frame)	27.0.1453.110	05/29/2013	chrome_frame_helper.dll	chrome_frame_helper.pak
wsc_proxy.exe (Avast wsc_proxy)	1.0.0.3	10/28/2019	wsc.dll	proxycfg.pak
coInst.exe (Norton Identity Safe)	2014.7.3.12	06/26/2014	msvcr100.dll	coinstcfg.dat

List of Legit binaries used for DLL Sideloading (Symantec)

The Lancefly actors used phishing as an attack vector in prior malicious operations, but in the most recent campaign, the first attack vectors might be SSH brute forcing or a public-facing server. Additionally, in the most recent attacks, threat actors exhibited behavior patterns like those of their earlier operations, employing a variety of non-malware methods, such as PowerShell and disguised versions of trustworthy software, to steal user credentials from the computers they were targeting. Merdoor installs itself as a service that stays active between reboots, assisting Lancefly in keeping their access and footing on the victim’s machine. Using one of the many available communication protocols (HTTP, HTTPS, DNS, UDP, and TCP), Merdoor then makes contact with the C2 server and waits for instructions. Merdoor may take instructions by listening to local ports in addition to facilitating data interchange with the C2 server. In order to gather potentially important information like usernames, passwords, or other secrets, the backdoor also logs user keystrokes. The ‘Atexec’ functionality of Impacket has also been seen being used by Lancefly to promptly carry out a scheduled job on a distant system via SMB. This functionality is thought to be used by threat actors to propagate laterally to other network devices or erase output files produced by other commands. Additionally, attackers use commands to inject processes or dump LSASS memory, the latter of which gives them access to targeted networks and the ability to steal user passwords. Before data exfiltration, attackers could utilize a cloaked WinRAR archive manager. Additionally, Blackloader and Prcloader, which are connected to the infamous PlugX virus, are used by Lancefly actors. The attacker group also used an improved ZXShell malware in the most recent campaign. This rootkit is more advanced than prior versions since it is smaller and uses more advanced detection evasion tactics. The Merdoor loader and the rootkit both employ an installation and update application, proving that Lancefly uses a single codebase for all of its products. A clone of ZXShell’s own executable can be compressed for evasion and resilience, as well as for the construction, hijacking, and activation of services, registry alteration, and service creation.

Possible Attribution

Lancefly is tangentially related to other Chinese APT organizations that have utilized the tool in attacks, such as APT17 and APT41, thanks to the ZXShell rootkit. The rootkit’s source code is, however, readily accessible to the public and weakens the link. The rootkit loader for Lancefly has been identified as “formdll.dll” in a prior campaign of APT27, also known as “Budworm.” It is not obvious, though, if this is a deliberate decision to confuse analysts and complicate identification. The usage of the PlugX and ShadowPad RATs (remote access trojans), which are shared by multiple Chinese APT organizations, is one factor that supports the idea that Lancefly is of Chinese origin.

Suspicious Behavior and Detection of Merdoor Backdoor

The typical infection caused by the Merdoor backdoor involves establishing a connection to the command and control (C2) server and injecting the backdoor into legitimate processes like perfhost.exe or svchost.exe. In addition, the attackers execute commands to inject processes or extract data from LSASS memory, granting them access to targeted networks and enabling the theft of user passwords. Before exfiltrating data, the adversaries may employ a concealed WinRAR archive manager. Furthermore, the Lancefly actors utilize Blackloader and Prcloader, which are associated with the notorious PlugX virus. In their recent campaign, they have also employed an enhanced version of the ZXShell rootkit, which is smaller in size and incorporates advanced tactics to evade detection. The detection of Merdoor backdoor activity requires a keen eye for suspicious behavior. There are several indicators that can help identify the presence of this malware. One such indicator is the unusual network traffic generated by the infected system. Merdoor establishes communication with its command and control server using various protocols such as HTTP, HTTPS, DNS, UDP, and TCP. Monitoring network traffic for connections to known malicious IP addresses or domains associated with the C2 server can raise red flags. Another suspicious behavior to watch out for is the injection of the backdoor into legitimate processes. Merdoor typically targets processes like perfhost.exe or svchost.exe, so monitoring the creation of new instances of these processes or any unexpected modifications to their behavior can indicate a potential infection. The presence of keylogging functionality is another sign of a Merdoor infection. The malware is designed to capture keystrokes and record sensitive information, so any unusual or unauthorized logging of user inputs should be investigated. In addition to these behavioral indicators, the use of certain tools and malware associated with Merdoor can also help in detection. The Lancefly actors often utilize Blackloader and Prcloader, which are commonly associated with the PlugX RAT. Detection of these tools or any related artifacts on the system can suggest the presence of the Merdoor backdoor. Overall, a comprehensive approach to detecting and preventing Merdoor infections involves a combination of network monitoring. By remaining vigilant and employing robust security measures, organizations can minimize the risk posed by the Merdoor backdoor and protect their networks from unauthorized access and data theft.