Symantec researchers have found that a government-backed hacking group called Lancefly has been utilizing custom-made malware to target governments, telecoms, and other organisations across Asia.
The group is labelled as an Advanced Persistent Threat (APT) and was previously implicated in several 2020 attacks that used phishing lures based on the 37th ASEAN Summit. The latest campaign, which ran from mid-2022 through the first quarter of 2023, targeted organisations in South and Southeast Asia, including governments, aviation, education, and telecom sectors.
Symantec has termed this backdoor as Merdoor and this tool has been around since 2018 but used only selectively in a small number of highly-targeted machines over the years. The backdoor contains the following functionality:
- Installing itself as a service
- Various methods to communicate with its command-and-control server
- Ability to listen on a local port for commands
In simple terms, Merdoor allows hackers to track actions, log keystrokes, and communicate directly with an infected device.
“The tools used and sectors targeted all point to the motivations of this attack campaign being intelligence gathering,” said the researchers at Symantec.
Symantec researchers noted that the similarities between this recent activity of the group and earlier attacks indicate that the group perhaps did not realise the earlier activity had been discovered, so it was not concerned about links being made between the two.
The researchers, however, declined to name the country behind Lancefly or the countries that were targeted, but several other tools used by the group are hallmarks of the Chinese government hackers.
While Lancefly used phishing lures in their 2020 and 2021 campaign, the group now uses a variety of initial infection vectors, indicating that the group is adapting on the go. In addition to the malware, the group has used a host of other methods such as legitimate tools from Avast and WinRAR to gather and exfiltrate data. The researchers noted that one of the tools is signed by the certificate Wemade Entertainment Co. Ltd, which was previously reported to be associated with APT41 (aka Blackfly/Grayfly), another Chinese hacking group.
The researchers noted that the seemingly low prevalence of this backdoor and the highly targeted attacks indicate that the group is a highly specialised one and only wants to gather intelligence while keeping its activities under the radar. Whether or not the exposure of this activity will lead to any alteration in how the group carries out its activities remains to be seen.