Illustration: Suttipun | Shutterstock
A new backdoor, named KTLVdoor, capable of targeting Windows and Linux systems, has been identified as being deployed by the Chinese-speaking threat actor Earth Lusca and targeting a Chinese trading company.
KTLVdoor’s obfuscation techniques set it apart from typical backdoor malware. It masquerades as a legitimate system utility and can operate discreetly within compromised systems.
Some of the system utilities it imitates include essential tools like sshd, Java, SQLite, and bash, as well as more specialised software like edr-agent, commonly used for endpoint detection and response. This allows Earth Lusca to blend malicious activity with legitimate operations, making detection significantly more challenging.
Researchers discovered that the malware is distributed as a dynamic-link library (.dll) or a shared object (.so), enhancing its versatility across systems. Once deployed KTLVdoor initiates communication with a command-and-control (C&C) server, enabling remote attackers to issue commands and manipulate the infected host.
The malicious commands supported by the malware include a wide range of functions, from downloading and uploading files to launching an interactive shell. Furthermore, KTLVdoor possesses advanced network scanning capabilities, employing tools like ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb to identify potential vulnerabilities in target systems.
What makes this attack especially intriguing is the infrastructure supporting KTLVdoor’s operation. Researchers discovered over 50 command-and-control servers connected to the malware, all hosted by Chinese technology giant Alibaba.
“The scale of the attack campaign is surprising, as we were able to find more than 50 C&C servers, all hosted at Alibaba in China, communicating with variants of the malware family,” explained researchers. “While some of those malware samples are tied to Earth Lusca with high confidence, we cannot be sure that the whole infrastructure is used solely by this threat actor. The infrastructure might be shared with other Chinese-speaking threat actors.”
This unusual concentration of servers at a single China-based provider raises questions about the potential collaboration or overlap between Earth Lusca and other Chinese threat actors.
Researchers suggest that the malware’s infrastructure could be shared with other groups, pointing to possible connections between Earth Lusca and known intrusion sets such as RedHotel and APT27. These groups, while distinct, are known to operate within similar geographical and tactical domains.
Despite the detailed analysis, much remains unknown about KTLVdoor’s distribution methods and their scope of impact. Thus far, it has been confirmed that it targets only one trading company in China, but there is no certainty that other global entities are being or will be targeted in the future.
The researchers also speculate that KTLVdoor’s appearance and reliance on Alibaba-hosted infrastructure could signify an early-stage testing phase of the malware.
“Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling,” researchers concluded.
In the News: Malaysian politicians, officials targeted in Babylon RAT campaign
