Researchers Discover Advanced Backdoor and Custom Implant in Year-Long Cyber Operation

May 15, 2023
Cyber Threat / Malware

A fresh cyber threat has emerged, targeting government, aviation, education, and telecom sectors across South and Southeast Asia. This campaign, linked to a newly identified hacking group, began in mid-2022 and extended into early 2023. Symantec, a division of Broadcom Software, has dubbed this activity “Lancefly,” identifying a sophisticated backdoor known as Merdoor. Investigation reveals that this custom implant may have been in use as early as 2018. The campaign’s objectives appear to focus on intelligence gathering, given the tools employed and the specific targets chosen. According to Symantec’s analysis shared with The Hacker News, “The backdoor is deployed very selectively, impacting only a limited number of networks and devices over the years, indicating a highly targeted approach.” Additionally, the attackers appear to possess an updated version of the ZXShell rootkit.

Researchers Identify Sophisticated Backdoor and Custom Implant Amid Extended Cyber Campaign

May 15, 2023

A newly identified hacking group has executed a sustained cyber campaign impacting key sectors including government, aviation, education, and telecommunications across South and Southeast Asia. This operation, which began in mid-2022 and persisted into early 2023, has been under scrutiny by Symantec, a division of Broadcom Software, which is tracking the group’s activities under the name Lancefly.

Central to this campaign is a formidable backdoor, dubbed Merdoor, which has shown signs of use dating back to 2018. The evidence collected thus far suggests that the deployment of such sophisticated tools is carefully orchestrated, as the backdoor appears selectively across a limited number of networks and machines over the years. This indicates a highly targeted approach, with the primary objective inferred to be intelligence gathering. Symantec’s analysis, shared with The Hacker News, emphasizes the selective nature of the backdoor’s usage, reinforcing its utility for specific operations rather than indiscriminate attacks.

In addition to Merdoor, attackers have utilized an upgraded version of the ZXShell rootkit, further enhancing their capabilities. This intricate blend of tools reflects a methodical approach consistent with complex cyber operations aimed at extensive information reconnaissance. The specificity of the targets underscores a strategic emphasis on sectors critical to national infrastructure and information control.

This operation aligns with several techniques identified in the MITRE ATT&CK framework, particularly in terms of initial access and persistence strategies. The attackers likely employed tactics such as spear phishing or exploiting known vulnerabilities to gain entry. Once inside, they could have maintained their presence through advanced persistence mechanisms, ensuring prolonged access to sensitive information while minimizing detection.

Privilege escalation methods may also have been leveraged, allowing adversaries to elevate their access rights within compromised environments. These tactics showcase an understanding of cybersecurity defenses and reflect a disciplined adherence to operational security, making them particularly challenging to mitigate.

As the situation develops, business leaders within the affected sectors should remain vigilant. The targeted nature of this campaign highlights the critical need for proactive cybersecurity measures and a robust understanding of potential threats. Adopting a comprehensive risk management strategy that encompasses threat intelligence sharing and regular security assessments can significantly enhance defensive capabilities. The implications of this campaign serve as a stark reminder of the evolving threats within the digital landscape and the continuous necessity for vigilance in cybersecurity practices.

Organizations must prioritize a culture of security awareness, equipping their workforce with knowledge of social engineering tactics and reinforcing the importance of immediate reporting of suspicious activities. As the nature of cyber threats continues to grow in complexity and sophistication, adopting a multi-layered defense approach is essential for safeguarding sensitive information and assets against future incursions.

Source link

Related Posts

Advanced DownEx Malware Campaign Targets Central Asian Governments

May 10, 2023
Malware / Cyber Attack

Central Asian government entities are under threat from a sophisticated espionage operation utilizing a previously unidentified strain of malware known as DownEx. In a report shared with The Hacker News, cybersecurity firm Bitdefender indicated that the malicious activities are ongoing, with indications pointing towards involvement from Russia-based threat actors. The malware was first detected in a highly targeted assault on foreign government institutions in Kazakhstan in late 2022, followed by an attack in Afghanistan. The use of a diplomat-themed lure document and the campaign’s emphasis on data exfiltration imply the actions of a state-sponsored group, although the exact identity of the hacking organization remains unclear. The campaign’s initial breach method appears to involve spear-phishing emails containing a malicious payload disguised as a Microsoft Word file.

Mustang Panda Hackers from China Target TP-Link Routers for Ongoing Attacks

May 16, 2023
Network Security / Threat Intelligence

The Chinese state-sponsored group known as Mustang Panda has been connected to a series of sophisticated, targeted attacks aimed at European foreign affairs entities since January 2023. According to researchers Itay Cohen and Radoslaw Madej from Check Point, these intrusions involve a custom firmware implant specifically designed for TP-Link routers. This implant includes several malicious components, featuring a custom backdoor dubbed “Horse Shell” that allows attackers to maintain persistent access, establish anonymous infrastructure, and facilitate lateral movement within compromised networks. Furthermore, the implant’s firmware-agnostic design enables its components to be integrated into various firmware from different vendors. The Israeli cybersecurity firm is monitoring this threat group, also known as Camaro Dragon, along with other aliases such as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

Rising China-Taiwan Tensions Ignite Sharp Increase in Cyber Attacks

May 18, 2023
Cyber Warfare / Threat Intelligence

Recent geopolitical strains between China and Taiwan have led to a significant rise in cyber attacks targeting the island nation. According to a report from the Trellix Advanced Research Center, “The conflict stemming from China’s claim over Taiwan, combined with Taiwan’s push for independence, has resulted in a troubling escalation of cyber threats.” These attacks, aimed at various sectors, primarily focus on deploying malware and stealing sensitive data. The cybersecurity firm noted a staggering four-fold increase in malicious emails between April 7 and April 10, 2023, with sectors such as networking, manufacturing, and logistics being particularly affected. Following this surge, the region saw a 15x spike in PlugX detections between April 10 and April 12, 2023.