Merdoor is a backdoor-type malicious program that opens a “backdoor” for malware and malicious components to enter compromised systems.
The threat actor responsible for Merdoor is Lancefly1, and this malware has been active since at least 2018. It is primarily used in targeted attacks that focus on a small number of infected devices. These attacks are typically aimed at South and Southeast Asian entities in government, education, aviation, and telecommunications sectors. The main objective of Lancefly appears to be intelligence gathering.
Overview of Merdoor malware
Name | Merdoor Virus |
Detection | Trojan:Win32/Casdet!rfn |
Damage | Installing itself as a service, keylogging, a variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), ability to listen on a local port for commands |
Fix Tool | See If Your System Has Been Affected by Merdoor Virus |
After successfully infiltrating a system, Merdoor establishes communication with its Command and Control (C&C) server. The communication methods used by the malware vary based on its configuration and variant. As mentioned earlier, Merdoor has been employed in targeted attacks, and the specific infections may vary.
Merdoor is designed to facilitate chain infections. While backdoor programs theoretically have the capability to introduce any type of malware into an infected machine, they typically operate within certain limitations. In known attacks, Merdoor has been observed introducing loaders, r77Rootkit , PlugX RAT (Remote Access Trojan), and other malicious content into compromised systems.
In addition, Merdoor can exploit legitimate processes and tools for malicious purposes. It also includes keylogging functionalities, allowing it to record keystrokes and capture sensitive information.
High-risk malware like Merdoor can lead to multiple system infections, data loss, severe privacy issues, financial losses, and identity theft. However, the consequences of highly targeted attacks against sensitive entities can be even more devastating.
Examples of similar malware
Examples of other malicious programs with backdoor functionalities include HangUp, Hlux, Haxdoor, and Convagent.
Malware can have various combinations of features. However, regardless of how malicious software operates, its presence on a system poses a threat to device integrity and user safety. Therefore, immediate elimination of all threats is essential.
How did Merdoor infiltrate my computer?
Merdoor has been distributed using different techniques. In a 2020 attack involving this backdoor, it likely originated from a phishing email. Subsequent campaigns may have employed brute-force methods. The extent to which Lancefly alters their methodology between attacks remains unclear. The threat actor may continue using similar tactics or make drastic shifts.
In general, malware is propagated through phishing and social engineering techniques. Malicious software is often disguised or bundled with seemingly ordinary programs or media.
Since Merdoor has been distributed via spam email, it is important to further discuss this method of malware proliferation. Spam messages, including emails, private messages, and text messages, contain malicious attachments or links that lead to websites that secretly download/install malware or deceive visitors into doing so.
Malicious files come in various formats, such as Microsoft Office documents, archives, executables, JavaScript, and more. When a malicious file is executed or opened, the infection chain is triggered. For example, Microsoft Office files can infect devices by executing malicious macro commands, while harmful OneNote documents require users to click on embedded files or links.
In addition to spam mail, malware is also spread through stealthy drive-by downloads, online scams, malicious advertisements, untrustworthy download sources (such as freeware and third-party websites, P2P sharing networks), illegal software activation tools (“cracks”), and fake updates.
Furthermore, some malicious programs can self-propagate through local networks and removable storage devices like external hard drives and USB flash drives.
How to avoid malware installation?
We strongly recommend exercising caution when dealing with incoming emails and messages. Do not open attachments or click on links in suspicious emails, as they may be infected. Vigilance should also be extended to browsing the internet, as fraudulent and malicious online content often appears harmless.
Download software only from official and verified sources. Activate and update software using legitimate functions and tools, as illegal activation tools (“cracks”) and fake updates can contain malware.
It is crucial to have a reliable and up-to-date antivirus program installed. Regular system scans should be performed using security software to detect and remove any identified threats. If you suspect that your computer is already infected, we recommend running a scan with Gridinsoft Anti-Malware to automatically eliminate the infiltrated malware.
How to remove the Merdoor from my PC?
Merdoor malware is very difficult to delete by hand. It stores its documents in numerous places throughout the disk, and can get back itself from one of the elements. Additionally, a number of changes in the registry, networking configurations and also Group Policies are really hard to locate and revert to the initial. It is better to use a special app – exactly, an anti-malware app. GridinSoft Anti-Malware will definitely fit the best for malware removal purposes.
Why GridinSoft Anti-Malware? It is pretty light-weight and has its databases updated almost every hour. In addition, it does not have such bugs and vulnerabilities as Microsoft Defender does. The combination of these details makes GridinSoft Anti-Malware ideal for taking out malware of any kind.
Remove the Merdoor with GridinSoft Anti-Malware
- Download and install GridinSoft Anti-Malware. After the installation, you will be offered to perform the Standard Scan. Approve this action.
- Standard scan checks the logical disk where the system files are stored, together with the files of programs you have already installed. The scan lasts up to 6 minutes.
- When the scan is over, you may choose the action for each detected virus. For all files of Merdoor the default option is “Delete”. Press “Apply” to finish the malware removal.
Frequently Asked Questions (FAQ)
Merdoor is a type of backdoor malware that allows unauthorized access to compromised systems, enabling the entry of other malicious programs and components.
Merdoor is attributed to a threat actor known as Lancefly. This malware has been active since at least 2018 and is primarily used in targeted attacks against entities in South and Southeast Asia, particularly in government, education, aviation, and telecommunications sectors.
Lancefly’s objective with Merdoor appears to be gathering intelligence from the compromised systems.
Merdoor has been distributed using various techniques, including phishing emails, brute-force methods, and other social engineering tactics. The specific infiltration method may vary between attacks.
Once Merdoor infects a system, it establishes communication with its Command and Control (C&C) server and can introduce additional malware into the compromised system. It can also abuse legitimate processes, employ keylogging functionalities, and cause chain infections.
To protect your computer from Merdoor and other malware:
- Exercise caution with incoming emails and messages, avoiding opening suspicious attachments or clicking on suspicious links.
- Download software only from official and verified sources.
- Use legitimate activation methods and update software through trusted channels.
- Install and regularly update a reliable antivirus program.
- Conduct regular system scans to detect and remove any identified threats.
High-risk malware like Merdoor can lead to multiple system infections, data loss, severe privacy issues, financial losses, and identity theft. Targeted attacks against sensitive entities can have even more devastating consequences.
If you suspect your computer is infected with Merdoor or any other malware, it is recommended to run a scan using reliable security software such as Gridinsoft Anti-Malware, which can automatically detect and remove infiltrated malware.
Yes, some malicious programs, including Merdoor, can self-propagate through local networks and removable storage devices such as external hard drives and USB flash drives.
How to Remove Merdoor Malware
Name: Merdoor
Description: Merdoor is a malicious program categorized as a backdoor-type malware. This particular malware is designed to create a "backdoor" or unauthorized access point into compromised computer systems. It allows the entry of other malware and malicious components, enabling cyber attackers to gain control over the infected system. Merdoor has been observed in targeted attacks primarily focused on entities in South and Southeast Asia, particularly in government, education, aviation, and telecommunications sectors. The threat actor behind Merdoor is known as Lancefly, and their objective appears to be gathering intelligence from the compromised systems.
Operating System: Windows
Application Category: Malware