Security News > 2023 > May > Stealthy MerDoor malware uncovered after five years of attacks
A new APT hacking group dubbed Lancefly uses a custom 'Merdoor' backdoor malware to target government, aviation, and telecommunication organizations in South and Southeast Asia.
The Symantec Threat Labs revealed today that Lancefly has been deploying the stealthy Merdoor backdoor in highly targeted attacks since 2018 to establish persistence, execute commands, and perform keylogging on corporate networks.
Merdoor helps Lancefly maintain their access and foothold on the victim's system, installing itself as a service that persists between reboots.
Finally, Lancefly encrypts stolen files using a masqueraded version of the WinRAR archiving tool and then exfiltrates the data, most likely using Merdoor.
The use of a newer, lighter, and more feature-rich version of the ZXShell rootkit was also observed in Lancefly attacks.
The rootkit also uses an installation and updating utility that shares common code with the Merdoor loader, indicating that Lancefly uses a shared codebase for their tools.
News URL
Related news
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)