This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 5 minutes read

Ankura CTIX FLASH Update - May 16, 2023

Malware Activity

Year-Long Campaign Targeting Organizations in South and Southeast Asia Attributed to Lancefly APT Group

Researchers have attributed a highly targeted year-long campaign to the new advanced persistent threat (APT) group Lancefly. The latest ongoing activity began in mid-2022 and has targeted the government, aviation, telecom, and education sectors throughout South and Southeast Asia. Lancefly is noted to "have some links to previously known groups" that were low-confidence, but the group's custom malware dubbed "Merdoor" is believed to have existed since 2018. This malware has been used previously in activity occurring in 2020 and 2021 and in Lancefly's latest campaign to gather intelligence on its victims. Merdoor is an advanced backdoor that has low prevalence and is "used very selectively." The malware is typically injected into the legitimate processes "perfhost.exe" and "svchost.exe" and has the capabilities to install itself as a service, conduct keylogging, communicate to its command-and-control (C2) server through various methods, and listen for commands. Researchers emphasized that the campaign also has access to an updated version of the "ZXShell" rootkit, which was first documented in October 2014. ZXShell's source code is publicly available, making the malware easily accessible to multiple threat groups, and has been previously linked to Chinese actors (Apt17 and APT27 specifically). Despite not having an exact initial attack vector documented as of May 15, 2023, it is suspected that the campaign involves "phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers." Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.

Threat Actor Activity

Threat Profile: RA Ransomware Group

Security researchers have uncovered a new ransomware family whose attacks include the source code of the Babuk ransomware. Many groups have emerged since the leak of the Babuk code in September 2021, including the Rook, Night Sky, Pandora, AstraLocker 2.0, ESXiArgs, Rorschach, RTM Locker, and RA ransomware groups. Specific to the RA Group, these threat actors have been operating for just over a month and have set their sights on targeting insurance, manufacturing, wealth management, and pharmaceutical industries throughout the United States and South Korea. The RA group also integrates a double extortion tactic into their attacks by first ransoming the victim, then posting their exfiltrated data if payment is not met swiftly. As of May 16, 2023, there are four (4) total victims listed on their public leak site, including an organization from each of the targeted industries above. Analysis of RA Group's ransomware code shows a high customization variant of the Babuk ransomware payload, including a rapid encryption process and detection evasion. Furthermore, the ransomware payload attempts to remove any breadcrumbs by deleting specific files, emptying the Recycle Bin, and removing volume shadow copies. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.


Threat Actors Target WordPress Plugin for XSS Campaign 24 Hours After a PoC Exploit Was Published

A recently patched critical vulnerability affecting the WordPress plugin "Advanced Custom Fields" is under active exploitation by malicious threat actors, who began targeting the flaw just twenty-four (24) hours after researchers published a working proof-of-concept (PoC) exploit. Advanced Custom Fields is a WordPress plugin that allows users to add extra content fields (commonly referred to as Custom Fields) to WordPress edit screens, allowing them to develop websites faster and disseminate information to visitors more quickly. The vulnerability, tracked as CVE-2023-30777, is a reflected cross-site scripting (XSS) flaw in which attackers inject malicious code into a victim website for distribution to the visitors of that site. If exploited, the XSS flaw could allow unauthenticated attackers who have gained access to the Advanced Custom Fields plugin to escalate their privileges and exfiltrate sensitive information from vulnerable WordPress sites. Although this vulnerability is severe, the exploitation requires prior access to the victim’s plugin. These factors resulted in the vulnerability being assessed with a CVSS score of 7.1/10. This vulnerability was patched on May 5, 2023, and CTIX analysts recommend that all users leveraging Advanced Custom Fields and Advanced Custom Fields Pro upgrade to version 6.1.6 or later immediately to prevent exploitation.

Honorable Mention

PharMerica Data Breach Leads to Leaked Medical Data of 5.8 Million Patients

The second largest institutional pharmacy services company in the United States, PharMerica, suffered a data breach and sent out notifications on May 12, 2023. The company reported that they had discovered suspicious activity in their network on March 14, 2023, after the unknown third-party had already been in the breached computer system for two (2) days. After the discovery, PharMerica immediately hired a security company to conduct an investigation who, after one (1) week, concluded that the breached data contained the personal information of 5.8 million individuals. The data included victims' names, addresses, dates of birth, Social Security numbers (SSNs), as well as medications and health insurance information. There is an underlying potential here for deceased victims' information to be used to open credit cards or take out loans; however, Maine regulators have extended Experian identity protection services to victims for one (1) year to help prevent such possibilities. While PharMerica has yet to release additional information about attack specifics or attribution speculations, the Money Message ransomware group posted the company on their leak site on March 28, 2023, claiming to have stolen 4.7 terabytes of data that was then officially published on their leak site on April 7, 2023. The data has since been seen on additional hacker forums and posted on the Clear net, broken down into thirteen (13) sections for greater ease of downloading. This is the latest attack in recent months on healthcare giants, a hot target for the beginning of 2023.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team ( if additional context is needed.

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cyber response, cybersecurity & data privacy, data privacy & cyber risk, memo

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with