Research Saturday 6.3.23
Ep 284 | 6.3.23

Lancefly screams bloody Merdoor.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner. And this is our weekly conservation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Brigid O Gorman: Well, we've actually seen some Lancefly activity previously back in 2020/2021 time. So then when we saw this more recent activity, we were able to kind of combine, I suppose, both those sets of research to produce this log because this more recent activity, I suppose, gathers a bit of more insight into how Lancefly operates.

Dave Bittner: That's Brigid O'Gorman. She's a senior intelligence analyst at Symantec. The research we're discussing today is titled "Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors."

Brigid O Gorman: It was seen to be around for a few years. The indications are that Merdoor has been around since about 2018. And as I said, we can see it used back in 2020 and 2021, and it's still being used now in this activity which continued into the first kind of part of this year.

Dave Bittner: Well, before we dig into the specifics of Merdoor, what can you tell us about Lancefly themselves; what do we know about them?

Brigid O Gorman: Yes, as I said, they've been around for a few years, by the looks of things. They're an advanced persistent threat group. We do think there may have- it's possible they have some links to some groups we would know, some previously known groups, like well-known names like APT41, our Budworm [phonetic], which is also APT27, as well as Hidden Links. We do kind of discuss some of those potential links in the blog. But all those links are a bit loose, a little bit low-confidence, so that allowed us to kind of break out this activity under this new group name. And it seems pretty clear that this group is driven by, you know, intelligence gathering; that's their motivation. You know, as you said, its targets have primarily been in the government communications technology sectors, as well as aviation, which is kind of an interesting target as well. And they do seem to be very focused on South and Southeast Asia. That's primarily where their targets have been located. And obviously they're an interesting group then as well because they do have this custom malware, custom backdoor at Merdoor, which just seems amusing; and then also they're also using the ZXSHELL root kit, which is publicly available, the source so far, is currently available, but we're seeing that they have developed that tool to kind of give it some additional functionality and stuff as well so they are able to, you know, work on their own malware as well.

Dave Bittner: Well, let's dig into Merdoor itself. What exactly is going on with this tool?

Brigid O Gorman: Yes, it's a pretty interesting tool. It's, you know, kind of a- quite powerful; it's fully featured backdoor. As I said, we saw a bit unusal activity in 2020 and 2021, as well as in this activity. But what's interesting about it as well is despite the fact we do think it's been around by 2018, that's kind of when the first sort of indications. Seems it's been in development since then probably. But despite the fact that it's been around for a good number of years, its use still seemed to be very targeted. We've only seen it on a handful of networks in a very small number of machines over the years. So that's interesting. So that's kind of a very prudent use of the tool and perhaps indications are by Lancefly is to kind of keep the tool and its activity under the radar. So the backdoor itself then its functionality includes kind of- you know, it's fairly typical stuff for them to install itself as a service. Well, obviously that's to try and stay under the radar most likely. It can carry out key login, it has various methods to allow us to communicate with its math control server, and was able to listen on local ports will come out as well from its C&C server. So typically we see this injected into the legitimate processes perhost.exe [phonetic], our sbchost.exe [phonetic]. And it's made up of kind of three components, I suppose; there's a dropper, a loader, as well as the backdoor. So the Merdoor dropper, that's the site of [phonetic] extracting our file, and that itself contains three files, a legitimate and science binary that's vulnerable to DRLS hijacking, which is a- kind of a common technique we see, ABT group seizing, we see the malicious loader or merdoor loader, as well as an encrypted file that contains the final pay that was- which is the Merdoor backdoor. So when opened then, the dropper basically extracts these embedded files, it executes a legitimate binary then in order to load the merger loader- it's quite hard to say. And [laughter] we did also find various variances of the Merdoor dropper that abused basically older versions of five different legitimate applications that are abused for the purposes of DLL side-loading, essentially, to kind of get this malware onto the victim machines.

Dave Bittner: And how would someone find this on their system, or what techniques are there- are they using to install it?

Brigid O Gorman: Yes, so they seem to have- they seem to use various different infection vectors. So they- and we aren't entirely clear on the initial infection vector. In the most recent activity we have some indications of us- some of them might have been a couple of victims. From its earlier campaign that it carried out in 2020, in that campaign it appeared that the group was using phishing emails as the unit of infection vector. So then in this more recent activity, we saw some indications in two victims that indicate what the unit of infection vector may have been. So in one of the government vector victims there were indications that the initial infection vector may have been SSH brute forcing, and then another victim we saw a file passed that indicated that a load balancer may have been exploited for access. So that pointed to the fact that the initial infection vector may have been an exposed public-facing server, which is a very common infection vector used by hackers these days, too. So it appears that the group, you know, basically has access to or is willing to use various different infection vectors in order to get onto victim machines, essentially.

Dave Bittner: One of the things you dig into in the blog post here is some of the details of the ZXSHELL root kit. What should we know about that?

Brigid O Gorman: Yes, so the ZXSHELL root kit it has been around for, you know, a long time. I think it was first reported on by Cisco almost ten years ago back in 2014. But the version of the tool, as I said, that's used by Lancefly is updated. So that's interesting. It indicates that it does contain to be actually developed by Lancefly and- or potentially other groups as well. Obviously, we're not sure when that source code is supposedly available, and often we do see groups, you know, sharing code and that kind of thing. But someone is certainly developing this tool. With this new version of the root kit the Lancefly is using does appear to be smaller in size, it also has some additional functions, but also targets additional antivirus software to disable, which is one of the functions of the root kit, that it disables antivirus software. So the various functionalities of this root kit that Lancefly uses include key logging, providing them more access; like machines is also able to spread laterally to other hosts in the network. And it's here as well, you know, the root because it sort of takes multiple steps to install itself quite stealthily onto victim machines, I would say. The root kit loader, it exports functions that can be used to drop payloads, match the host system's architecture, it can read excellent shellcode, it can kill processes and other things as well. Also of note was that the root could use the insulation of data utility, kind of share some common code with the merger loader, so that there is some kind of shared code base there that kind of allowed this activity to be as both connected as well. We also see its insulation functionality supporting things like, hijacking, compressing, copy of its own execution in order, again, to maybe evade detection or to expose them with the chief persistence on victim machines as well. So it has multiple functionalities as a root kit.

Dave Bittner: Then what does this say about the sophistication, and I suppose even the persistence, the patience of this threat group?

Brigid O Gorman: Yes, they definitely do seem to be a patient threat group because I mean a lot of the groups that we see that have access to custom tools and things like that, you know, we would see them deploying them I suppose more regularly, or we would see them using them in attacks fairly frequently. But it does seem that this track group, Lancefly, seems to have a very, you know, kind of specific focus. It seems to be- it seems to know, I suppose, the victim's interest is in, and it's already really interested in deploying its tools onto those machines; because it definitely is notable that Merdoor especially has been around for as long as it has been, and it's been seen so infrequently even though, you know, it's a powerful fully functional backdoor. So you would think when they have access to it, they would use it. But it just- they just seem to have a very specific focus, I think, this group. And I think definitely it desires to stay under the radar and keep this activity kind of low-key is one of the things driving this group as well.

Dave Bittner: Well, based on the information you all have gathered here, what are your recommendations then for folks to best protect themselves?

Brigid O Gorman: I think obviously the usual kind of caveats when it comes to doing the usual best security processes, I suppose, when it comes to protecting yourself from any of these-

Dave Bittner: Yes.

Brigid O Gorman: Attack groups. But I think what's interesting with Lancefly as well is it may have those kind of potential links to other attack groups, as I said, like ABT41, Budworm, and also- who else did I say, Hidden Links?

Dave Bittner: Hmm.

Brigid O Gorman: So I think that's notable as well for people listening is those kind of connections between all those different Chinese ABT groups, that there can be a lot of sharing of personnel, there can be a lot of sharing of, you know, tools as well. Like we did see with the ZXSHELL root kit that Lancefly used was signed by a certificate with the name "Wemade Entertainment Co-Limiters" [phonetic]. And that was previously a portion that's been in association with ABT41. But like that doesn't really conclusively say that those groups are necessarily connected, because we do know these kinds of Chinese attack groups can share those kinds of things amongst each other, and as I say, kind of share personnel and that sort of thing. So I think one of the things to keep in mind with this Lancefly activity is while you figure out [phonetic] Lancefly here as a new group. Because as I said, those kinds of links we saw with the other kind of attack groups weren't definitive, you know, it's certainly possible that Lancefly could be cooperating with other ABT groups and kind of working alongside them and, you know, potentially that can lead to tool sharing, as we've seen with other tools in the past, such as safety and Shadow Path, which Lancefly is also using as activity, but there are shared tools that are amongst other different attack groups. So I think it's just important to keep on top of all these groups' activity, on top of the new tools that you're using, like Merdoor, like this developed ZXSHELL root kit, and just to watch out for any of the indicators on your system and make sure that like there's an awareness that these attack groups are, I suppose, constantly working, and developing tools, and trying to take new steps to keep their activity under the radar all the time.

Dave Bittner: Our thanks to Brigid O'Gorman from Symantec for joining us. The research is titled "Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, and Other Sectors." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday Podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.