The government, aviation, education and telecommunications sectors located in South and Southeast Asia have come under the radar of a new hacker group as part of a highly targeted campaign that began in mid-2022 and continues into the first quarter of 2023.
Symantec, by Broadcom Software, tracks activity under an insect-themed moniker Lanceflywith an attack utilizing a “powerful” backdoor called the Merdoor.
Evidence gathered so far suggests the custom implants have been used since 2018. The ultimate goal of the campaign, based on the victimology tools and patterns, is assessed as intelligence gathering.
“Backdoors were used very selectively, appearing on only a handful of networks and a small number of machines over many years, with their use apparently very targeted,” Symantec said in an analysis shared with The Hacker News.
“The attackers in this campaign also had access to the latest version of the ZXShell rootkit.”
While the exact initial intrusion vector used is currently unclear, it is thought to have involved the use of phishing baits, SSH brute-forcing, or exploitation of internet-exposed servers.
The chain of attacks ultimately led to the deployment of ZXShell and Merdoor, full-featured malware that could communicate with actor-controlled servers for further commands and log keystrokes.
ZXShell, documented beforehand by Cisco in October 2014, is a rootkit that comes with various features to retrieve sensitive data from infected hosts. The use of ZXShell has been associated with various Chinese actors such as APT17 (Aurora Panda) and APT27 (aka Budworm or Panda Messenger) in the past.
“The source code of this rootkit is publicly available so it can be used by a variety of different groups,” said Symantec. “The new version of the rootkit used by Lancefly appears to be smaller in size, but also has additional functionality and targets additional antivirus software for deactivation.”
Another Chinese link comes from the fact that the ZXShell rootkit is signed by a certificate “Wemade Entertainment Co. Ltd,” which previously reported by Mandiant in August 2029 to be associated with APT41 (aka Winnti).
Lancefly intrusions have also been identified using PlugX and its successor ShadowPad, the latter a modular malware platform shared privately among several Chinese state-sponsored actors since 2015.
That said, it is also known certificates and share tools prevalent among Chinese state-sponsored groups, making attribution to specific known strike crews difficult.
“While the Merdoor backdoor appears to have existed for a number of years, it appears to have only been used in a small number of attacks in that time frame,” said Symantec. “Careful use of these tools may indicate Lancefly’s desire to keep its activities under the radar.”