Security News > 2023 > May > Stealthy MerDoor malware uncovered after five years of attacks
A new APT hacking group dubbed Lancefly uses a custom 'Merdoor' backdoor malware to target government, aviation, and telecommunication organizations in South and Southeast Asia.
The Symantec Threat Labs revealed today that Lancefly has been deploying the stealthy Merdoor backdoor in highly targeted attacks since 2018 to establish persistence, execute commands, and perform keylogging on corporate networks.
Merdoor helps Lancefly maintain their access and foothold on the victim's system, installing itself as a service that persists between reboots.
Finally, Lancefly encrypts stolen files using a masqueraded version of the WinRAR archiving tool and then exfiltrates the data, most likely using Merdoor.
The use of a newer, lighter, and more feature-rich version of the ZXShell rootkit was also observed in Lancefly attacks.
The rootkit also uses an installation and updating utility that shares common code with the Merdoor loader, indicating that Lancefly uses a shared codebase for their tools.
News URL
Related news
- Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack (source)
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- Ivanti zero-day attacks infected devices with custom malware (source)
- WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites (source)
- IPany VPN breached in supply-chain attack to push custom malware (source)
- MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks (source)