TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: Cybersecurity researchers with Symantec recently published a report (weblink below) on new APT hacking group dubbed Lancefly uses a custom ‘Merdoor’ backdoor malware to target government, aviation, and telecommunication organizations. The malware is capable of keylogging and communicating with its command-and-control server through various methods, including HTTP, HTTPS, DNS, UDP, and TCP. The backdoor is typically delivered through a self-extracting RAR file containing a legitimate and signed binary vulnerable to DLL search-order hijacking, a malicious loader, and an encrypted file containing the final payload. The ZXShell rootkit has also been used by the Lancefly APT group and is signed by the same certificate used by the China-linked APT41 group. The source code for ZXShell is now publicly available.
Symantec Report: hxxps://symantec-enterprise-blogs.security[.]com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor
NYSIC CAU Analyst Note: Since 2018, the Merdoor backdoor has only been used in a small number of attacks, but it is highly capable and has been associated with other APT groups, including HiddenLynx/APT17 and China-linked groups using PlugX and ShadowPad.
Additionally, the New York City Police Department compiled a list of IOCs to aid in threat mitigation and network defense. For your convenience a copy of the IOCs list which allows for copying and pasting can be found in the attached document by clicking on the yellow push pin.
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.
NYPD_IB_CAM_MerDoor.pdf