According to a report by Symantec, a government-backed hacking group known as “Lancefly” has been seen using custom-made malware to attack governments, telecoms and other organizations across Asia. Intelligence gathering appears to be the main motivation, given the tools and the targeted sectors.

Symantec has avoided name the origin of this Advanced Persistent Threat (ATP) but its footprints of use of malware like PlugX and ShadowPad and very low used especially designed backdoor 'Merdoor'. Legitimate tools from Avast and WinRAR, to help gather and exfiltrate data are also used. It is using a digital certificate signed by "Wemade Entertainment Co. Ltd," . The attacker have also used updated version of ZXShell rootkit.

The backdoor used by the group, named Merdoor, has been around since 2018 but has been used in a “highly targeted” fashion against “just a handful of networks and a small number of machines over the years,” Symantec said. Merdoor allows hackers to track actions, log keystrokes and inject malware as required. With the objective to stay below radar, the Merdoor backdoor appears to only have been used in a small number of attacks.

These are signature of ATP 41 (aka Blackfly/Grayfly) of China.

Symantec also avoided naming victim countries except name general area of operations of Lancefly is South and Southeast Asia, in sectors including government, aviation, education and telecoms.

While the 2020 and 2021 campaigns used phishing lures based on the ASEAN Summit, Symantec researchers said the group now uses a variety of initial infection vectors, showing that they are “adaptable.”

For complete technical details including 'Indicators of Compromise' please visit the Source given below.

Source: Lancefly: Symantec Enterprise Blogs (security.com)