Chinese hackers are exploiting a new Linux backdoor to target national governments
A Chinese threat actor was observed targeting multiple governments around the world with a new Linux backdoor, according to new findings from Trend Micro.
As reported by BleepingComputer, the group is called Earth Lusca, and has been active in the first half of the year, targeting government organizations in Southeast Asia, Central Asia, the Balkans, and elsewhere. The organizations were mostly focused on foreign affairs, technology, and telecommunications. Earth Lusca’s goal seems to be espionage.
To compromise their targets’ endpoints, the group used multiple n-day unauthenticated remote code execution flaws, most of which were discovered and addressed between 2019 and 2022. Through these flaws, they’d drop Cobalt Strike beacons, which were later used to deploy a new Linux backdoor called SprySOCKS.
Stealing files and more
SprySOCKS is not brand new, though. Its code is a mix of multiple other malware variants, it was said, including the Trochilus open-source malware for Windows, a backdoor for the same OS called RedLeaves, and Derusbi, which is a Linux malware.
Its key functionalities include system information harvesting, starting an interactive shell using the PTY subsystem, listing network connections, managing SOCKS proxy configurations, as well as the usual capabilities such as uploading and downloading files.
Besides SprySOCKS, the group was seen dropping a Linux ELF injector dubbed “mandibule”, as well. Mandible itself was tweaked and changed, but in a relatively sloppy manner, it seems, as researchers found debug messages and symbols behind, indicating that the developers weren’t really paying attention that much.
SprySOCKS, on the other hand, is in active development, the researchers concluded. So far, they managed to obtain two versions of the backdoor, including v1.1 and v.1.3.6.
The best way to protect against such threats is to make sure all endpoints are patched regularly.