Merdoor Malware Backdoor Removal

Written by Daniel Zimmerman
Merdoor is a backdoor-type malicious program that opens a “backdoor” for malware and malicious components to enter compromised systems.

The threat actor responsible for Merdoor is Lancefly1, and this malware has been active since at least 2018. It is primarily used in targeted attacks that focus on a small number of infected devices. These attacks are typically aimed at South and Southeast Asian entities in government, education, aviation, and telecommunications sectors. The main objective of Lancefly appears to be intelligence gathering.

GridinSoft Anti-Malware Review
It is better to prevent, than repair and repent!
When we talk about the intrusion of unfamiliar programs into your computer’s work, the proverb “Forewarned is forearmed” describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
Gridinsoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | 10% Off Coupon
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

Overview of Merdoor malware

NameMerdoor Virus
DetectionTrojan:Win32/Casdet!rfn
DamageInstalling itself as a service, keylogging, a variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP),
ability to listen on a local port for commands
Fix ToolSee If Your System Has Been Affected by Merdoor Virus

After successfully infiltrating a system, Merdoor establishes communication with its Command and Control (C&C) server. The communication methods used by the malware vary based on its configuration and variant. As mentioned earlier, Merdoor has been employed in targeted attacks, and the specific infections may vary.

Merdoor is designed to facilitate chain infections. While backdoor programs theoretically have the capability to introduce any type of malware into an infected machine, they typically operate within certain limitations. In known attacks, Merdoor has been observed introducing loaders, r77Rootkit , PlugX RAT (Remote Access Trojan), and other malicious content into compromised systems.

In addition, Merdoor can exploit legitimate processes and tools for malicious purposes. It also includes keylogging functionalities, allowing it to record keystrokes and capture sensitive information.

High-risk malware like Merdoor can lead to multiple system infections, data loss, severe privacy issues, financial losses, and identity theft. However, the consequences of highly targeted attacks against sensitive entities can be even more devastating.

Examples of similar malware

Examples of other malicious programs with backdoor functionalities include HangUp, Hlux, Haxdoor, and Convagent.

Malware can have various combinations of features. However, regardless of how malicious software operates, its presence on a system poses a threat to device integrity and user safety. Therefore, immediate elimination of all threats is essential.

How did Merdoor infiltrate my computer?

Merdoor has been distributed using different techniques. In a 2020 attack involving this backdoor, it likely originated from a phishing email. Subsequent campaigns may have employed brute-force methods. The extent to which Lancefly alters their methodology between attacks remains unclear. The threat actor may continue using similar tactics or make drastic shifts.

In general, malware is propagated through phishing and social engineering techniques. Malicious software is often disguised or bundled with seemingly ordinary programs or media.

Since Merdoor has been distributed via spam email, it is important to further discuss this method of malware proliferation. Spam messages, including emails, private messages, and text messages, contain malicious attachments or links that lead to websites that secretly download/install malware or deceive visitors into doing so.

Malicious files come in various formats, such as Microsoft Office documents, archives, executables, JavaScript, and more. When a malicious file is executed or opened, the infection chain is triggered. For example, Microsoft Office files can infect devices by executing malicious macro commands, while harmful OneNote documents require users to click on embedded files or links.

In addition to spam mail, malware is also spread through stealthy drive-by downloads, online scams, malicious advertisements, untrustworthy download sources (such as freeware and third-party websites, P2P sharing networks), illegal software activation tools (“cracks”), and fake updates.

Furthermore, some malicious programs can self-propagate through local networks and removable storage devices like external hard drives and USB flash drives.

How to avoid malware installation?

We strongly recommend exercising caution when dealing with incoming emails and messages. Do not open attachments or click on links in suspicious emails, as they may be infected. Vigilance should also be extended to browsing the internet, as fraudulent and malicious online content often appears harmless.

Download software only from official and verified sources. Activate and update software using legitimate functions and tools, as illegal activation tools (“cracks”) and fake updates can contain malware.

It is crucial to have a reliable and up-to-date antivirus program installed. Regular system scans should be performed using security software to detect and remove any identified threats. If you suspect that your computer is already infected, we recommend running a scan with Gridinsoft Anti-Malware to automatically eliminate the infiltrated malware.

How to remove the Merdoor from my PC?

Merdoor malware is very difficult to delete by hand. It stores its documents in numerous places throughout the disk, and can get back itself from one of the elements. Additionally, a number of changes in the registry, networking configurations and also Group Policies are really hard to locate and revert to the initial. It is better to use a special app – exactly, an anti-malware app. GridinSoft Anti-Malware will definitely fit the best for malware removal purposes.

Why GridinSoft Anti-Malware? It is pretty light-weight and has its databases updated almost every hour. In addition, it does not have such bugs and vulnerabilities as Microsoft Defender does. The combination of these details makes GridinSoft Anti-Malware ideal for taking out malware of any kind.

Remove the Merdoor with GridinSoft Anti-Malware

  • Download and install GridinSoft Anti-Malware. After the installation, you will be offered to perform the Standard Scan. Approve this action.
  • Merdoor in the scan

  • Standard scan checks the logical disk where the system files are stored, together with the files of programs you have already installed. The scan lasts up to 6 minutes.
  • Merdoor in the scan results

  • When the scan is over, you may choose the action for each detected virus. For all files of Merdoor the default option is “Delete”. Press “Apply” to finish the malware removal.
  • Merdoor - After Cleaning

Frequently Asked Questions (FAQ)

What is Merdoor?

Merdoor is a type of backdoor malware that allows unauthorized access to compromised systems, enabling the entry of other malicious programs and components.

Who is behind Merdoor?

Merdoor is attributed to a threat actor known as Lancefly. This malware has been active since at least 2018 and is primarily used in targeted attacks against entities in South and Southeast Asia, particularly in government, education, aviation, and telecommunications sectors.

What are the objectives of Lancefly with Merdoor?

Lancefly’s objective with Merdoor appears to be gathering intelligence from the compromised systems.

How does Merdoor infiltrate systems?

Merdoor has been distributed using various techniques, including phishing emails, brute-force methods, and other social engineering tactics. The specific infiltration method may vary between attacks.

What can Merdoor do once it infects a system?

Once Merdoor infects a system, it establishes communication with its Command and Control (C&C) server and can introduce additional malware into the compromised system. It can also abuse legitimate processes, employ keylogging functionalities, and cause chain infections.

How can I protect my computer from Merdoor and similar threats?

To protect your computer from Merdoor and other malware:

  • Exercise caution with incoming emails and messages, avoiding opening suspicious attachments or clicking on suspicious links.
  • Download software only from official and verified sources.
  • Use legitimate activation methods and update software through trusted channels.
  • Install and regularly update a reliable antivirus program.
  • Conduct regular system scans to detect and remove any identified threats.

What are the potential risks of Merdoor and targeted attacks?

High-risk malware like Merdoor can lead to multiple system infections, data loss, severe privacy issues, financial losses, and identity theft. Targeted attacks against sensitive entities can have even more devastating consequences.

How can I detect and remove Merdoor from my system?

If you suspect your computer is infected with Merdoor or any other malware, it is recommended to run a scan using reliable security software such as Gridinsoft Anti-Malware, which can automatically detect and remove infiltrated malware.

Can Merdoor spread through local networks or removable storage devices?

Yes, some malicious programs, including Merdoor, can self-propagate through local networks and removable storage devices such as external hard drives and USB flash drives.
How to Remove Merdoor Malware

Name: Merdoor

Description: Merdoor is a malicious program categorized as a backdoor-type malware. This particular malware is designed to create a "backdoor" or unauthorized access point into compromised computer systems. It allows the entry of other malware and malicious components, enabling cyber attackers to gain control over the infected system. Merdoor has been observed in targeted attacks primarily focused on entities in South and Southeast Asia, particularly in government, education, aviation, and telecommunications sectors. The threat actor behind Merdoor is known as Lancefly, and their objective appears to be gathering intelligence from the compromised systems.

Operating System: Windows

Application Category: Malware

Sending
User Review
4.08 (13 votes)
Comments Rating 0 (0 reviews)

References

  1. More About Lancefly

About the author

Daniel Zimmerman

I'm Daniel, a seasoned professional deeply passionate about the realm of security and malware defense. With over a decade of experience in the security industry and a background in writing, I am thrilled to share my expertise through this cybersecurity blog.

Throughout my career, I've had the privilege of working on the front lines of cybersecurity, tirelessly combating emerging threats and safeguarding digital environments. This hands-on experience has allowed me to develop a deep understanding of the ever-evolving landscape of malware and cyber-attacks.

Leave a Reply

Sending