Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors

MITRE Techniques

• [T1078.004] Valid Accounts – SSH – SSH brute forcing suspected as a potential initial infection vector. Quote: “the initial infection vector may have been SSH brute forcing.”
• [T1133] External Remote Services – Exposed public-facing server used as an initial access vector. Quote: “an exposed public-facing server.”
• [T1003.001] Credential Dumping: LSASS – Dump memory via MiniDump (LSASS memory). Quote: “PowerShell was used to launch rundll32.exe in order to dump the memory of a process using the MiniDump function of comsvcs.dll. This technique is often used to dump LSASS memory.”
• [T1003.002] Credential Dumping: SAM and SYSTEM – Reg.exe dumped SAM and SYSTEM registry hives. Quote: “Reg.exe was used to dump the SAM and SYSTEM registry hives.”
• [T1059.001] PowerShell – usage to facilitate credential dumping and other actions. Quote: “PowerShell was used to launch rundll32.exe…”
• [T1036] Masquerading – Masqueraded WinRAR to stage files. Quote: “A masqueraded version of the legitimate archiving tool WinRAR to stage and encrypt files before exfiltration.”
• [T1560.001] Archive Collected Data – Use of WinRAR to stage/encrypt data before exfiltration. Quote: “to stage and encrypt files before exfiltration.”
• [T1021.002] SMB/Windows Admin Shares – Impacket Atexec used to execute remote commands via SMB (lateral movement). Quote: “Impacket Atexec: A dual-use tool that can be used by malicious actors to create and run an immediate scheduled task on a remote target via SMB in order to execute commands on a target system.”
• [T1053.005] Scheduled Task – Remote scheduled task creation via SMB to run commands. Quote: “immediate scheduled task on a remote target via SMB…”
• [T1055] Process Injection – mavinject.exe used for process injection; createdump used to dump LSASS. Quote: “mavinject.exe (which can be used for process injection) and createdump.exe (which can be used to dump a process e.g. LSASS).”
• [T1112] Modify Registry – Numerous registry writes and values created (ptdf, ecdf, tudf, etc.). Quote: “Next, it sets the following registry value” and “It creates the following registry value.”
• [T1543.003] Create/Modify System Process: Create Service – Creation of services (TdiProxy0, etc.) and starting them. Quote: “The sample creates a service with the following parameters…”
• [T1140] Deobfuscate/Decode Files or Information – XOR-transformed data and decompression steps. Quote: “partially transformed using the XOR algorithm with the byte key 0x12” and “decompresses”
• [T1562.001] Impair Defenses – Termination of Defender processes (egui.exe, ekrn.exe, msmpeng.exe). Quote: “it may terminate the processes ‘egui.exe’, ‘ekrn.exe’, and ‘msmpeng.exe’.”
• [T1564.001] Hide Artifacts: Archive Collected Data – Use of compression (aPLib) and staged files. Quote: “using aPLib for compression”
• [T1036] Masquerading – WinRAR and related file names used to conceal their actions. Quote: “masqueraded WinRAR (wmiprvse.exe)”
• [T1547] Boot or Logon Autostart Execution – Service creation and manipulation to run at startup (service-based persistence). Quote: “It restarts the referred service.”