Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Chinese Hacker’s Advanced Linux Espionage

September 19, 2023
Reading Time: 2 mins read
in Alerts

In a concerning development, a Chinese hacker known as ‘Earth Lusca’ has been identified conducting cyber espionage operations targeting government agencies across multiple countries. This campaign employs a newly discovered Linux backdoor named ‘SprySOCKS,’ as revealed by Trend Micro’s analysis.

Furthermore, the malware appears to be a blend of various malware strains, with components adapted from both Windows and Linux malware, exemplifying its sophisticated nature.

Earth Lusca’s cyberattacks persisted throughout the first half of the year, concentrating on government entities specializing in foreign affairs, technology, and telecommunications. To initiate these attacks, the threat actors exploited several unauthenticated remote code execution vulnerabilities dating back to 2019 and 2022. These vulnerabilities were leveraged to deploy Cobalt Strike beacons, which facilitated remote access to compromised networks.

Subsequently, these malicious actors engaged in lateral movement, exfiltrated sensitive files, stole account credentials, and introduced additional payloads such as ShadowPad.

One notable aspect of the attack involved the utilization of the SprySOCKS loader, a variant of the Linux ELF injector referred to as “mandibule.” This loader, disguised as a file named ‘libmonitor.so.2,’ was hurriedly adapted by the attackers, leaving behind debug messages and symbols. It operated under the name “kworker/0:22,” mimicking a Linux kernel worker thread, decrypting the second-stage payload (SprySOCKS), and establishing persistence on the infected systems.

SprySOCKS itself is a highly capable backdoor that employs the ‘HP-Socket’ high-performance networking framework for its operations. It encrypts its TCP communications with the command and control server using AES-ECB encryption. The malware’s core functionalities include collecting system information, initiating an interactive shell using the PTY subsystem, listing network connections, managing SOCKS proxy configurations, and performing various file operations.

Trend Micro identified two versions of SprySOCKS, v1.1 and v1.3.6, suggesting ongoing development efforts by the threat actors. To mitigate the risks associated with such cyber espionage campaigns, organizations are strongly advised to prioritize the application of security updates for their public-facing server products, effectively preventing initial compromises by Earth Lusca and similar threat actors.

Reference:
  • Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Tags: BackdoorChinaCyber AlertCyber Alerts 2023CybersecurityEarth LuscaespionageLinuxMalwareSeptember 2023SprySOCKSTrend MicroVulnerabilities
ADVERTISEMENT

Related Posts

FreeDrain Phishing Steals Crypto Funds

FBI Warns Cybercriminals Exploit Routers

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

X Scam Targets Crypto Users with Fake Ads

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

FreeDrain Phishing Steals Crypto Funds

May 9, 2025
COLDRIVER Hackers Target Sensitive Data

COLDRIVER Hackers Target Sensitive Data

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

CoGUI Targets Consumer and Finance Brands

May 8, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial