Cybersecurity researchers have recently discovered a new group of threat actors known as Lancefly, who have been actively targeting government, aviation, education, and telecoms organizations. Symantec, in its latest report, revealed that Lancefly employs a custom-made malware called Merdoor, which has been in circulation since at least 2018. While previous campaigns featuring Merdoor were observed in 2020 and 2021, the current campaign began in mid-2022 and has continued into 2023.
According to Symantec’s experts, Lancefly’s approach is highly selective, with only a small number of machines being infected. The Merdoor malware boasts various functionalities, including self-installation as a service, keylogging capabilities, communication with the C2 server through different protocols such as HTTP, HTTPS, DNS, and the ability to listen for commands on a local port.
The researchers noted that the specific infection vector for this campaign remains unclear. While Lancefly has previously relied on classic phishing techniques to distribute the backdoor, in this instance, evidence suggests the attackers may have used SSH brute-forcing or exploited a load balancer for unauthorized access. This adaptability in infection vectors showcases Lancefly’s sophistication.
Although the identity of the group behind Lancefly remains a mystery, the researchers hinted at a potential Chinese origin. Lancefly utilizes the ZXSHell rootkit, signed with the certificate “Wemade Entertainment Co. Ltd,” which has been associated with Blackfly (also known as APT41), a Chinese threat actor. However, it is worth noting that this certificate has been shared with other threat actors.
Regardless of the group’s origin, the primary objective of Lancefly’s campaign is espionage and intelligence gathering. The targeted sectors, including government, aviation, education, and telecoms, house valuable information and sensitive data, making them attractive targets for cyber adversaries. As cybersecurity experts continue to monitor Lancefly’s activities, organizations in these sectors should enhance their defenses and remain vigilant against evolving threats.