This sneaky malware lay undetected for five years to target government devices
Merdoor infostealer has been circulating since at least 2018
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurity researchers have spotted new threat actors targeting government, aviation, education, and telecoms firms.
Areportfrom Symantec outlined a group they dubbed Lancefly was spotted using a custom piece ofmalwareto target the abovementioned organizations. Lancefly is using a custom infostealer called Merdoor which, according to the researchers, has been circulating since at least 2018. The researchers spotted it in certain campaigns back in 2020 and 2021, but for this specific campaign, the malware’s been in use since mid-2022 and continued into 2023.
Symantec’s experts are claiming that the attackers aren’t casting a wide net with Merdoor, but are rather quite picky with their targets. “Only a small number of machines [are] infected,” they said.
The Merdoor malware
Merdoor comes with a number of functions, including installing itself as a service, keylogging, different means of communication with the C2 server (HTTP, HTTPS, DNS, etc.), and the ability to listen on a local port for commands.
While evidence from previous campaigns suggests Lancefly uses classic phishing techniques to distribute the backdoor toendpoints, for this specific campaign, the infection vector wasn’t clear, the researchers said. In one instance, the attackers seem to have used SSH brute-forcing. In another instance, a load balancer may have been exploited for access.
“While evidence for any of these infection vectors is not definitive, it does appear to indicate that Lancefly is adaptable when it comes to the kind of infection vectors it uses,” the researchers concluded.
Chinese cybercriminal syndicate redoubles espionage efforts>Chinese hackers have been running riot on unsecured Windows devices>Check out the best ransomware protections right now
The identity of the group remains a mystery, although the researchers did suggest that they might be Chinese. In its campaigns, Lancefly uses ZXSHell rootkit, which is signed by the certificate “Wemade Entertainment Co. Ltd”. This certificate is being linked to Blackfly (AKA APT41), a Chinese threat actor. However, this group is known for sharing its certificates with other threat actors.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Wherever the group is from, one thing is for certain - the goal of its campaign is espionage and intelligence gathering.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Rising AI threats are making firms turn back to human intelligence
Thousands of employees could be falling victim to obvious phishing scams every month
Alien: Romulus gets a Hulu release date but there’s still no word on when it’s coming to Disney Plus
