A Chinese-linked threat actor known as ‘Earth Lusca’ has been conducting cyber espionage campaigns against governments around the world via a previously unknown Linux backdoor, according to an analysis by Trend Micro.
The researchers, Joseph C Chen and Jaromir Horejsi, revealed they had been tracking the group since an initial publication about its activities in 2021. Since then, Earth Lusca has extended its operations to target governments around the world during the first half of 2023, primarily in countries in Southeast Asia, Central Asia and the Balkans.
The main targets for the group are government departments involved in foreign affairs, technology and telecommunications, said the researchers.
They wrote that Earth Lusca “is now aggressively targeting the public-facing servers of its victims,” and frequently exploiting server-based N-day vulnerabilities, publicly known weaknesses with or without a patch.
Once it has infiltrated its victims’ networks, the group deploys a web shell and installs Cobalt Strike for lateral movement, aiming to exfiltrate documents and email account credentials.
Additionally, the researchers said the threat actor deploys advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets.
New Linux Backdoor
While monitoring the China state-linked actor, Chen and Horejsi obtained an encrypted file named libmonitor.so.2 hosted on the threat actor’s delivery server. After finding the original loader of the file on VirusTotal and successfully decrypting it, the researchers discovered that the payload is a previously unknown Linux-targeted backdoor, which they named ‘SprySOCKS’.
This backdoor originates from the open-source Windows backdoor Trochilus, with several functions being re-implemented for Linux systems.
The researchers observed that the Linux backdoor contains a marker that refers to its version number. The investigation uncovered two SprySOCKS payloads containing two different version numbers, indicating that the backdoor is still under development.
In regard to structure, the blog reported that SprySOCKS’s command-and-control (C2) protocol consists of two components: the loader and the encrypted main payload, with the loader responsible for reading, decrypting and running the main payload.
This structure bears similarities with the RedLeaves backdoor, a remote access trojan (RAT) reported to be infecting Windows machines, added the researchers.
To date, only Earth Lusca has been observed using SprySOCKS.
Concluding, Chen and Horejsi advised organizations to “proactively manage their attack surface, minimizing the potential entry points into their system and reducing the likelihood of a successful breach.”
They added: “Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and overall performance.”