On the Russian Market underground forum, the total amount of logs for sale increased by 150%, from two million in a day in June of last year, to five million in February of this year. Logs from infostealers that have taken user data continue to see an increase as time draws on. Secureworks released a threat report this morning discussing “ The Growing Threat from Infostealers,” which details the impact of infostealing malware on the cyber threat ecosystem.
The researchers write, “We saw some indications of what the initial infection vector may have been in two victims, though this was not conclusive.” Lancefly’s reuse of tools associated with Chinese APTs suggests some connection with those groups, but Symantec regards the evidence as inconclusive for precise attribution: many of those tools have been widely shared. In its more recent activity, however, the initial infection vector was unclear. Merdoor is “injected into the legitimate processes perfhost.exe or svchost.exe.” Symantec assesses that Lancefly may have used phishing emails as an attack vector in a campaign in 2020. Lancefly’s custom back door, “Merdoor,” seems to have been around since 2018 and facilitates keylogging, multiple C2C communication methods, and the ability to listen in to local port commands. The attackers in this campaign also have access to an updated version of the ZXShell rootkit,” the researchers say. “The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted. Symantec (a Broadcom company) reported yesterday that the advanced persistent threat (APT) Lancefly is using a custom backdoor to target government, aviation, education, and telecommunication sectors in South and Southeast Asia. Lancefly, a new APT with a custom backdoor.
0 kommentar(er)
