Merdoor is a powerful malware that has been in existence since 2018, according to Symantec. This backdoor is capable of installing itself as a service, keylogging, listening on local ports for commands, and communicating with its command and control (C&C) server using various methods such as HTTP, HTTPS, DNS, UDP, and TCP. The malware has been used by an Advanced Persistent Threat (APT) group known as Lancefly, which has deployed it via phishing, SSH brute forcing, and vulnerable public-facing assets. Despite its existence for several years, Merdoor appears to have been used only in a limited number of highly targeted attacks.
The APT group also employs other tools such as Impacket Atexec, WinRAR, LSASS Dumper, NBTScan, and the Blackloader and Prcloader loaders, in addition to an updated version of the ZXShell rootkit. The attackers use these tools for memory dumping, stealing registry hives, and encrypting files with a disguised WinRAR tool. Subsequently, they likely use Merdoor for exfiltrating stolen credentials and sensitive data. However, Symantec noted that no strong links could be established between Lancefly's activity and any other known attack groups based on the shared tools and overlaps.
Despite the low prevalence of Merdoor, its use by Lancefly is notable due to the highly targeted nature of these attacks. The malware was observed being used in some activities in Russian places in 2020 and 2021, and this continued into the first quarter of 2023. The instances of the Merdoor backdoor found were identical except for their communication method with the C2 server, service details, and installation directory. The malware's stealthy nature and sophisticated functionalities make it a significant threat to cybersecurity.
Description last updated: 2024-05-04T16:35:22.663Z