Sophisticated Merdoor backdoor long used in Lancefly APT attacks

BleepingComputer reports that the novel advanced persistent threat operation Lancefly has been targeting South and Southeast Asian government, telecommunication, and aviation entities with the advanced custom Merdoor malware over the past five years. Intelligence gathering is believed to be Lancefly's motive in attacks with the stealthy Merdoor backdoor, which not only builds persistence, but also enables command execution and keylogging activities, according to a report from Symantec Threat Labs. Several techniques, including phishing emails, exploitation of known vulnerabilities, and SSH credentials brute-forcing, have been employed by Lancefly to facilitate Merdoor delivery, with the attackers later leveraging the Atexec functionality of Impacket to spread the malware across the network. Aside from Merdoor, Lancefly has also been using an updated ZXShell rootkit, which has a loader that could prompt payload deployment and shellcode reading and execution, among others. Such a tool has also been used by other Chinese APT operations, including APT41 and APT17.