Merdoor

Malware updated 3 days ago (2024-10-15T10:03:01.478Z)
Download STIX
Preview STIX
Merdoor is a potent malware, identified as a backdoor, that has been in existence since 2018. The malicious software is capable of installing itself as a service, keylogging, listening on a local port for commands, and using various methods to communicate with its command and control (C&C) server such as HTTP, HTTPS, DNS, UDP, TCP. Despite being operational for several years, Merdoor has only been utilized in a small number of attacks, infecting machines in a highly targeted manner to deploy the custom Merdoor backdoor and a modification of the open-source ZXShell rootkit. While the instances of the Merdoor backdoor are identical except for their communication method with the C2 server, service details, and the installation directory, it's noted that the malware disguises itself as a legitimate service. The Advanced Persistent Threat (APT) group behind Merdoor has been deploying it via phishing, SSH brute forcing, and vulnerable public-facing assets since 2020. In addition to Merdoor, the APT was also observed using tools such as Impacket Atexec, WinRAR, LSASS Dumper, NBTScan, and the Blackloader and Prcloader loaders, as well as an updated version of the ZXShell rootkit. Attackers employ memory dumping, stealing registry hives, and encrypting files with a disguised WinRAR tool, followed by likely exfiltration using Merdoor to steal credentials and extract sensitive data. Symantec, in its blog, emphasized that while there may be some overlaps and shared tools indicating links between Lancefly activity and other APT groups, none of these overlaps are strong enough to attribute this activity and the development of Merdoor to an already-known attack group. The recent Lancefly activity is noteworthy due to its use of the Merdoor backdoor, especially given the low prevalence of this backdoor around Russian places and the seemingly highly targeted nature of these attacks. Researchers observed Merdoor being used in some activity in 2020 and 2021 in Russian places, and this more recent campaign, which continued into the first quarter of 2023.
Description last updated: 2024-10-15T09:13:42.050Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Loader
Apt
Windows
Payload
Dropper
WinRAR
Symantec
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lancefly Threat Actor is associated with Merdoor. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
5
The threatActor Lancefly’s is associated with Merdoor. Unspecified
4
Source Document References
Information about the Merdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
Flashpoint
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CSO Online
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago