A new hacking group has targeted the government, aviation, education, and telecom industries in South and Southeast Asia as part of a highly focused campaign that began in mid-2022 and extended into the first quarter of 2023.
Broadcom Software’s Symantec is monitoring the activity under the insect-themed moniker Lancefly, with the attacks employing a “powerful” backdoor called Merdoor. So far, data suggests that the personalized implant was used as early as 2018. Based on the instruments and the victimology pattern, the campaign’s ultimate purpose is intelligence gathering.
“The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted,” Symantec said in an analysis shared with The Hacker News.
“The attackers in this campaign also have access to an updated version of the ZXShell rootkit.”
While the precise initial intrusion vector is unknown, it is believed to have entailed the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers. The attack chains eventually lead to the distribution of ZXShell and Merdoor, fully-featured malware capable of communicating with an actor-controlled server for more commands and logging keystrokes.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: