Merdoor Malware Backdoor Removal

Merdoor is a backdoor-type malicious program that opens a “backdoor” for malware and malicious components to enter compromised systems.

The threat actor responsible for Merdoor is Lancefly¹, and this malware has been active since at least 2018. It is primarily used in targeted attacks that focus on a small number of infected devices. These attacks are typically aimed at South and Southeast Asian entities in government, education, aviation, and telecommunications sectors. The main objective of Lancefly appears to be intelligence gathering.

Overview of Merdoor malware

Name	Merdoor Virus
Detection	Trojan:Win32/Casdet!rfn
Damage	Installing itself as a service, keylogging, a variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), ability to listen on a local port for commands

After successfully infiltrating a system, Merdoor establishes communication with its Command and Control (C&C) server. The communication methods used by the malware vary based on its configuration and variant. As mentioned earlier, Merdoor has been employed in targeted attacks, and the specific infections may vary.

Merdoor is designed to facilitate chain infections. While backdoor programs theoretically have the capability to introduce any type of malware into an infected machine, they typically operate within certain limitations. In known attacks, Merdoor has been observed introducing loaders, r77Rootkit , PlugX RAT (Remote Access Trojan), and other malicious content into compromised systems.

In addition, Merdoor can exploit legitimate processes and tools for malicious purposes. It also includes keylogging functionalities, allowing it to record keystrokes and capture sensitive information.

High-risk malware like Merdoor can lead to multiple system infections, data loss, severe privacy issues, financial losses, and identity theft. However, the consequences of highly targeted attacks against sensitive entities can be even more devastating.

Examples of similar malware

Examples of other malicious programs with backdoor functionalities include HangUp, Hlux, Haxdoor, and Convagent.

Malware can have various combinations of features. However, regardless of how malicious software operates, its presence on a system poses a threat to device integrity and user safety. Therefore, immediate elimination of all threats is essential.

How did Merdoor infiltrate my computer?

In general, malware is propagated through phishing and social engineering techniques. Malicious software is often disguised or bundled with seemingly ordinary programs or media.

Malicious files come in various formats, such as Microsoft Office documents, archives, executables, JavaScript, and more. When a malicious file is executed or opened, the infection chain is triggered. For example, Microsoft Office files can infect devices by executing malicious macro commands, while harmful OneNote documents require users to click on embedded files or links.

In addition to spam mail, malware is also spread through stealthy drive-by downloads, online scams, malicious advertisements, untrustworthy download sources (such as freeware and third-party websites, P2P sharing networks), illegal software activation tools (“cracks”), and fake updates.

Furthermore, some malicious programs can self-propagate through local networks and removable storage devices like external hard drives and USB flash drives.

How to avoid malware installation?

We strongly recommend exercising caution when dealing with incoming emails and messages. Do not open attachments or click on links in suspicious emails, as they may be infected. Vigilance should also be extended to browsing the internet, as fraudulent and malicious online content often appears harmless.

How to remove the Merdoor from my PC?

Frequently Asked Questions (FAQ)

What is Merdoor?

Merdoor is a type of backdoor malware that allows unauthorized access to compromised systems, enabling the entry of other malicious programs and components.

Who is behind Merdoor?

Merdoor is attributed to a threat actor known as Lancefly. This malware has been active since at least 2018 and is primarily used in targeted attacks against entities in South and Southeast Asia, particularly in government, education, aviation, and telecommunications sectors.

What are the objectives of Lancefly with Merdoor?

Lancefly’s objective with Merdoor appears to be gathering intelligence from the compromised systems.

How does Merdoor infiltrate systems?

Merdoor has been distributed using various techniques, including phishing emails, brute-force methods, and other social engineering tactics. The specific infiltration method may vary between attacks.

What can Merdoor do once it infects a system?

Once Merdoor infects a system, it establishes communication with its Command and Control (C&C) server and can introduce additional malware into the compromised system. It can also abuse legitimate processes, employ keylogging functionalities, and cause chain infections.

How can I protect my computer from Merdoor and similar threats?

To protect your computer from Merdoor and other malware: Exercise caution with incoming emails and messages, avoiding opening suspicious attachments or clicking on suspicious links. Download software only from official and verified sources. Use legitimate activation methods and update software through trusted channels. Install and regularly update a reliable antivirus program.

What are the potential risks of Merdoor and targeted attacks?

High-risk malware like Merdoor can lead to multiple system infections, data loss, severe privacy issues, financial losses, and identity theft. Targeted attacks against sensitive entities can have even more devastating consequences.

How can I detect and remove Merdoor from my system?

If you suspect your computer is infected with Merdoor or any other malware, it is recommended to run a scan using reliable security software such as

Can Merdoor spread through local networks or removable storage devices?

Yes, some malicious programs, including Merdoor, can self-propagate through local networks and removable storage devices such as external hard drives and USB flash drives.