CyberWire Daily - Lancefly screams bloody Merdoor.
Episode Date: June 3, 2023Brigid O Gorman from Symantec joins Dave to discuss their research, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors." Researchers discovered in 2020 that... Lancefly, an APT group, is using a custom-written backdoor in attacks targeting government, aviation, educations, and telecoms organizations in South and Southeast Asia. The research states "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted." These targets, though observed in some activity in 2020 and 2021, started in 2022 and have continued into 2023. The research can be found here: Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
Well, we'd actually seen some land supply activity previously back in 2020, 2021 time.
So then when we saw this more recent activity, we were able to kind of combine,
I suppose, both those sets of research to produce this blog because it's more recent activity,
I suppose, gave us a bit more insight into how LanceFly operates.
That's Bridget O'Gorman. She's a senior intelligence analyst at Symantec.
The research we're discussing today is titled Lancefly.
Group uses custom backdoor to target orgs in government, aviation and other sectors.
It just seems to be a group that's been around for a few years. The indications are that Murador
has been around since about 2018. And as I said,
we did see it used back in 2020 and 2021. And it's still being used now in this activity,
which continued into the first part of this year. Well, before we dig into the specifics of Murdor,
what can you tell us about Lancefly themselves? What do we know about them?
Yeah. So as I said, they've been around for a few years by the looks of things.
They're an advanced persistent threat group and we do think they may have, it's possible they have
some links to some groups we would know, some previously known groups
like well-known names like APT41, our budworm, which is
also APT27, as well as hidden links. And we do kind of discuss
some of those potential links in the blog, but all those links were a bit loose, a little bit low confidence.
So that led us to kind of break out this activity under this new group name.
And it seems pretty clear that this group is driven by, you know,
intelligence gathering.
That's their motivation.
You know, as you said,
its targets have primarily been in the government communications technology sectors, as well as aviation, which is kind of an interesting target as well.
And they do seem to be very focused on South and Southeast Asia.
That's primarily where their targets have been located.
And obviously, they're an interesting group then as well, because they do have this custom malware, custom backdoor Meridor, which we've seen them using. And they're also using the ZXGel rootkit, which is a publicly available tool.
The source code for it is publicly available,
but it does seem that they have developed that tool
to kind of give it some additional functionality and stuff as well.
So they are able to work on their own malware as well.
Well, let's dig into Meridor itself.
What exactly is going on with this tool?
Yeah, it's a pretty interesting tool.
It's, you know, kind of quite a powerful,
it's fully featured backdoor.
As I said, we saw it being used in activity in 2020 and 2021
as well as in this activity.
But what's interesting about it as well
is despite the fact we do think it's been around since about 2018,
that's kind of when the first sort of indications,
it seems it's been in development since then probably.
But despite the fact it's been around for a good number of years, its use does seem to be very targeted.
We've only seen it on a handful of networks and a very small number of machines over the years.
So that's interesting.
So that's kind of very prudent use of the tool and perhaps it indicates a desire by Landsky to kind of keep the tool and
its activity under the radar. So the backdoor itself then, its functionality includes kind of,
you know, it's fairly typical stuff. It's able to install itself as a service. Obviously that's
to try and stay under the radar most likely. It can carry out key logging. It has various methods
to allow it to communicate with its command and control server. And it's able to listen on local
ports for commands
as well from its CNC server. So typically we see it injected into the legitimate processes
perfhost.exe or svchost.exe and it's made up of kind of three components I suppose. There's a
dropper and a loader as well as the backdoor. So the murder dropper that's a self-extracting
RAR file and that then itself contains three files.doch dropper, that's a self-extracting RAR file, and that then itself
contains three files, a legitimate and signed binary that's vulnerable to DLL search order
hijacking, which is a kind of a common technique we see APT groups using. We see the malicious
loader, which is the Murdoch loader, as well as an encrypted file that contains the final payload,
which is the Murdoch backdoor. So when opened, then the dropper basically extracts these embedded files.
It executes a legitimate binary then in order to load
the murderer loader.
It's quite hard to say.
And we did also find various variants of the murderer dropper
that abuse basically older versions of five different
legitimate applications that are abused for the purposes
of DLL side loading, essentially, to kind of get this malware onto victim machines.
And how would someone find this on their system?
What techniques are they using to install it?
Yeah, so they seem to use various different infection vectors.
So we are entirely clear on the initial infection vector in the most recent activity.
We have indications of what some of them might have been in a couple of victims.
From its earlier campaign that it carried out in 2020, in that campaign it appeared that the group was using phishing emails as the initial infection vector.
So then in this more recent activity, we saw some indications in two victims that indicate what the initial infection vector may have been.
So in one of the government sector victims,
there were indications that the initial infection vector
may have been SSH brute forcing.
And then another victim we saw a file pass
that indicated that a load balancer
may have been exploited for access.
So that pointed to the fact
that the initial infection vector
may have been an exposed public-facing server,
which is a very common infection vector used by attackers these days, too.
So it appears that the group, you know, basically has access to or is willing to use various different infection vectors
in order to get on to victim machines, essentially.
Thank you. to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink
your security. Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context, simplifying security management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
security. One of the things you dig into in the blog post here is some of the details of the ZX shell rootkit. What should we know about that? Yeah, so the ZX shell rootkit has been around
for a long time. I think it was first reported on by Cisco
almost 10 years ago, back in 2014.
But the version of the tool, as I said,
used by Landsfly is updated.
So that's interesting.
It indicates that it does continue to be actively developed
by Landsfly or potentially by other groups as well.
Obviously, we're not sure when that source code
is publicly available.
And often we do see groups sharing code
and that kind of thing.
But someone is certainly developing this tool.
But this new version of the rootkit that Landsfly is using
does appear to be smaller in size.
It also has some additional functions.
It also targets additional antivirus software to disable,
which is one of the functions of the rootkit
that it disables antivirus software.
And I suppose the various functionalities of this rootkit
that Landsfly uses include key
logging, providing remote access to victim machines, it's also able to spread laterally
to other hosts in the network and it's there as well you know the rootkit it sort of takes
multiple steps to install itself quite stealthily onto victim machines I would say. The rootkit's
loader it exports functions that can be used to drop payloads that match the host system's
architecture, it can read and execute shell code, it can kill processes and other things as well it exports functions that can be used to drop payloads that match the host system's architecture.
It can read and execute shell code.
It can kill processes and other things as well.
Also of note was that the rootkit used the installation and updating utility kind of shared some common code
with the murder loader.
So there was some kind of shared code base there
that kind of allowed this activity to be, I suppose,
connected as well.
And we also see its installation functionality
supporting things like service creation, hijacking,
compressing a copy of its own executable in order, again, to maybe evade detection
or to, I suppose, achieve persistence on victim machines as well.
So it has multiple functionalities, this Rookit.
And what does this say about the sophistication and, I suppose suppose even the persistence, the patience of this threat group?
Yeah, they definitely do seem to be a patient threat group because, I mean, a lot of the groups that we see that have access to custom tools and things like that, you know, we would see them deploying them, I suppose, more regularly or we'd see them using them in attacks fairly frequently.
But it does seem that this threat group, Lansify,
seems to have a very, you know, kind of specific focus.
It seems to be, it seems to know, I suppose, the victims it's interested in,
and it's already really interested in deploying its tools onto those machines,
because it definitely is notable that Murador especially has been around
for as long as it has been, and it's is notable that Mirador especially has been around for as
long as it has been, and it's been seen so infrequently, even though it's a powerful,
fully functional backdoor. So you would think when they have access to it, they would use it.
But they just seem to have a very specific focus, I think, this group, and I think definitely a
desire to stay potentially under the radar and keep this activity kind of low-key
is one of the things driving this group as well.
Well, based on the information you all have gathered here,
what are your recommendations then for folks to best protect themselves?
I think obviously the usual kind of caveats or apply
when it comes to doing the usual best security practices,
I suppose, when it comes to protecting yourself
from any of these attack groups. But I think what's interesting with landslide as well is it may have those kind
of potential links to other attack groups as I said like apt 41 and budworm and also who else
did I say hidden links so I think that's notable as well for people listening is those kind of
so I think that's notable as well for people listening is those kind of connections between all those different Chinese APT groups that there can be a lot of sharing of personnel there can be
a lot of sharing of you know tools as well like we did see with the ZX route kit that Lancefly
used was signed by a certificate with the name We Made Entertainment Co-Limited and that was
previously reported as being associated with APT41.
But like that doesn't really conclusively say
that those groups are necessarily connected
because we do know that these kind of Chinese attack groups
can share those kind of things amongst each other.
And as I said, kind of shared personnel and that sort of thing.
So I think one of the things to keep in mind
with this landslide activity is while we've
broken out landslide here as a new group because as I said those kind of links we saw with the other
kind of attack groups weren't definitive you know it's certainly possible that landslide could be
cooperating with other apt groups and kind of working alongside them and you know potentially
that can lead to tool sharing, as we've seen with
other tools in the past, such as say, PlugX and Shadowpad, which Landslide is also using
this activity, but they're shared tools now amongst other different attack groups. So
I think it's just important to keep on top of all these groups activity, on top of the
new tools that you're using, like Murador, like this developed ZXRootkit, and just to watch out for any
of the indicators on your system and make sure that there's an awareness that these attack groups are,
I suppose, constantly working and developing tools and trying to take new steps to keep their
activity under the radar all the time. Our thanks to Bridget O. Gorman from Symantec for joining us. The research is
titled Lancefly. Group uses custom backdoor to target orgs in government, aviation, and other
sectors. We'll have a link in the show notes.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie.
And I'm Dave Bittner.
Thanks for listening.