Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities
The China-linked threat actor known as
Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS.
Earth Lusca was
first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America.
Active since 2021, the group has relied on spear-phishing and watering hole attacks to pull off its cyber espionage schemes. Some activities of the group overlap with another threat cluster tracked by Recorded Future under the name
RedHotel.
The latest findings from the cybersecurity firm show that Earth Lusca continues to be an active group, even expanding its operations to target organizations across the world during the first half of 2023.
Primary targets include government departments that are involved in foreign affairs, technology, and telecommunications. The attacks are concentrated in Southeast Asia, Central Asia, and the Balkans.
The interactive shell implementation in SprySOCKS is likely inspired by the Linux version of a fully-featured backdoor named
Derusbi (aka Photo) that's known to be employed by multiple Chinese threat activity clusters since at least 2008.
Command-and-control (C2) communication consists of packets sent via the Transmission Control Protocol (TCP) protocol, mirroring a structure used by a
Windows-based trojan referred to as
RedLeaves, itself said to be built on top of Trochilus.
At least two different samples of SprySOCKS (versions 1.1 and 1.3.6) have been identified to date, suggesting that the malware is being continually modified by the attackers to add new features.
"It is important that organizations proactively manage their attack surface, minimizing the potential entry points into their system and reducing the likelihood of a successful breach," the researchers said.
"Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and overall performance."
Infection sequences start with the exploitation of known security flaws in public-facing Fortinet (CVE-2022-39952 and CVE-2022-40684), GitLab (CVE-2021-22205), Microsoft Exchange Server (ProxyShell), Progress Telerik UI (CVE-2019-18935), and Zimbra (CVE-2019-9621 and CVE-2019-9670) servers to drop web shells and deliver Cobalt Strike for lateral movement.
"The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like
ShadowPad and the Linux version of
Winnti to conduct long-term espionage activities against its targets," security researchers Joseph C. Chen and Jaromir Horejsi
said.
The server used to deliver Cobalt Strike and Winnti has also been observed to host SprySOCKS, which has its roots in the open-source Windows backdoor
Trochilus. It's worth noting that the use of Trochilus has been tied to a Chinese hacking crew called
Webworm in the past.
Loaded by means of a variant of an ELF injector component known as
mandibule, SprySOCKS is equipped to gather system information, start an interactive shell, create and terminate SOCKS proxy, and perform various file and directory operations.
(
Source) (
A)
