In a concerning development, a Chinese hacker known as ‘Earth Lusca’ has been identified conducting cyber espionage operations targeting government agencies across multiple countries. This campaign employs a newly discovered Linux backdoor named ‘SprySOCKS,’ as revealed by Trend Micro’s analysis.
Furthermore, the malware appears to be a blend of various malware strains, with components adapted from both Windows and Linux malware, exemplifying its sophisticated nature.
Earth Lusca’s cyberattacks persisted throughout the first half of the year, concentrating on government entities specializing in foreign affairs, technology, and telecommunications. To initiate these attacks, the threat actors exploited several unauthenticated remote code execution vulnerabilities dating back to 2019 and 2022. These vulnerabilities were leveraged to deploy Cobalt Strike beacons, which facilitated remote access to compromised networks.
Subsequently, these malicious actors engaged in lateral movement, exfiltrated sensitive files, stole account credentials, and introduced additional payloads such as ShadowPad.
One notable aspect of the attack involved the utilization of the SprySOCKS loader, a variant of the Linux ELF injector referred to as “mandibule.” This loader, disguised as a file named ‘libmonitor.so.2,’ was hurriedly adapted by the attackers, leaving behind debug messages and symbols. It operated under the name “kworker/0:22,” mimicking a Linux kernel worker thread, decrypting the second-stage payload (SprySOCKS), and establishing persistence on the infected systems.
SprySOCKS itself is a highly capable backdoor that employs the ‘HP-Socket’ high-performance networking framework for its operations. It encrypts its TCP communications with the command and control server using AES-ECB encryption. The malware’s core functionalities include collecting system information, initiating an interactive shell using the PTY subsystem, listing network connections, managing SOCKS proxy configurations, and performing various file operations.
Trend Micro identified two versions of SprySOCKS, v1.1 and v1.3.6, suggesting ongoing development efforts by the threat actors. To mitigate the risks associated with such cyber espionage campaigns, organizations are strongly advised to prioritize the application of security updates for their public-facing server products, effectively preventing initial compromises by Earth Lusca and similar threat actors.
