Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign
Cyber Security Threat Summary:
Symantec recently disclosed details of a year-long running campaign targeting government, aviation, education, and telecom sectors located in South and Southeast Asia. Dubbed Lancefly, the operation commenced in mid-2022 and continued until the first quarter of 2023. According to researchers, they observed the actors deploying a powerful backdoor dubbed Merdoor, which has been around since 2018. For its part, Merdoor contains the following functionality:
“The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted” (The Hacker News, 2023).
In addition to Merdoor, the actors were seen deploying an updated version of ZXShell, a rootkit that comes were various features to siphon data from compromised systems.
Security Officer Comments:
It is unclear how the actors gained initial access into victim environments. Researchers suspect this was accomplished by various means including phishing lures, SSH brute-forcing, and the exploitation of servers exposed to the internet. Based on the tooling and victimology pattern, the goal of the latest campaign seems to be intelligence gathering.
Suggested Correction(s):
To prevent potential infections, organizations should segment and regularly patch internet-facing systems, enable two-factor authentication wherever possible, and be on the look out for malicious phishing emails. Source:
https://thehackernews.com/2023/05/researchers-uncover-powerful-backdoor.html