This sneaky malware lay undetected for five years to target government devices

security
(Image credit: Shutterstock / Sashkin)

Cybersecurity researchers have spotted new threat actors targeting government, aviation, education, and telecoms firms. 

A report from Symantec outlined a group they dubbed Lancefly was spotted using a custom piece of malware to target the abovementioned organizations. Lancefly is using a custom infostealer called Merdoor which, according to the researchers, has been circulating since at least 2018. The researchers spotted it in certain campaigns back in 2020 and 2021, but for this specific campaign, the malware’s been in use since mid-2022 and continued into 2023.

Symantec’s experts are claiming that the attackers aren’t casting a wide net with Merdoor, but are rather quite picky with their targets. “Only a small number of machines [are] infected,” they said.

The Merdoor malware

Merdoor comes with a number of functions, including installing itself as a service, keylogging, different means of communication with the C2 server (HTTP, HTTPS, DNS, etc.), and the ability to listen on a local port for commands.

While evidence from previous campaigns suggests Lancefly uses classic phishing techniques to distribute the backdoor to endpoints, for this specific campaign, the infection vector wasn’t clear, the researchers said. In one instance, the attackers seem to have used SSH brute-forcing. In another instance, a load balancer may have been exploited for access.

“While evidence for any of these infection vectors is not definitive, it does appear to indicate that Lancefly is adaptable when it comes to the kind of infection vectors it uses,” the researchers concluded. 

The identity of the group remains a mystery, although the researchers did suggest that they might be Chinese. In its campaigns, Lancefly uses ZXSHell rootkit, which is signed by the certificate “Wemade Entertainment Co. Ltd”. This certificate is being linked to Blackfly (AKA APT41), a Chinese threat actor. However, this group is known for sharing its certificates with other threat actors.

Wherever the group is from, one thing is for certain - the goal of its campaign is espionage and intelligence gathering.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.