Merdoor

Malware updated 5 months ago (2024-05-04T17:32:15.449Z)
Download STIX
Preview STIX
Merdoor is a powerful malware that has been in existence since 2018, according to Symantec. This backdoor is capable of installing itself as a service, keylogging, listening on local ports for commands, and communicating with its command and control (C&C) server using various methods such as HTTP, HTTPS, DNS, UDP, and TCP. The malware has been used by an Advanced Persistent Threat (APT) group known as Lancefly, which has deployed it via phishing, SSH brute forcing, and vulnerable public-facing assets. Despite its existence for several years, Merdoor appears to have been used only in a limited number of highly targeted attacks. The APT group also employs other tools such as Impacket Atexec, WinRAR, LSASS Dumper, NBTScan, and the Blackloader and Prcloader loaders, in addition to an updated version of the ZXShell rootkit. The attackers use these tools for memory dumping, stealing registry hives, and encrypting files with a disguised WinRAR tool. Subsequently, they likely use Merdoor for exfiltrating stolen credentials and sensitive data. However, Symantec noted that no strong links could be established between Lancefly's activity and any other known attack groups based on the shared tools and overlaps. Despite the low prevalence of Merdoor, its use by Lancefly is notable due to the highly targeted nature of these attacks. The malware was observed being used in some activities in Russian places in 2020 and 2021, and this continued into the first quarter of 2023. The instances of the Merdoor backdoor found were identical except for their communication method with the C2 server, service details, and installation directory. The malware's stealthy nature and sophisticated functionalities make it a significant threat to cybersecurity.
Description last updated: 2024-05-04T16:35:22.663Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Loader
Apt
Windows
Payload
Dropper
WinRAR
Symantec
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lancefly Threat Actor is associated with Merdoor. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
5
The threatActor Lancefly’s is associated with Merdoor. Unspecified
4
Source Document References
Information about the Merdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
Flashpoint
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CSO Online
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago