According to new findings from Trend Micro, a Chinese hacker has targeted several governments around the world with a new Linux backdoor.
As reported by Sleeping computer, the group is called Earth Lusca and has been active in the first half of the year, targeting government organizations in Southeast Asia, Central Asia, the Balkans and elsewhere. The organizations were primarily focused on foreign affairs, technology, and telecommunications. Earth Lusca’s goal appears to be espionage.
To compromise their targets’ endpoints, the group used numerous n-day unauthenticated remote code execution flaws, most of which were discovered and fixed between 2019 and 2022. Through these flaws, they released the Cobalt beacons Strike, which were later used to deploy a new Linux backdoor called SprySOCKS.
Steal files and more
SprySOCKS isn’t brand new, though. Its code is a mix of several other malware variants, it was said, including the open source Trochilus malware for Windows, a backdoor for the same operating system called RedLeaves, and Derusbi, which is malware for Linux.
Its key features include gathering system information, launching an interactive shell using the PTY subsystem, listing network connections, managing SOCKS proxy configurations, as well as the usual features such as uploading and downloading file.
In addition to SprySOCKS, the group was also seen launching an ELF Linux injector nicknamed โJaw.โ The jaw itself has been tweaked and modified, but relatively loosely, it seems, as researchers found debug messages and symbols behind it, indicating that the developers weren’t paying much attention.
SprySOCKS, however, is under active development, the researchers concluded. So far they have managed to obtain two versions of the backdoor, v1.1 and v.1.3.6.
The best way to protect yourself from such threats is to ensure that all endpoints are updated regularly.
Leave a Reply