Earth Lusca, a China-linked threat actor group known to target high-profile individuals and organisations in Hong Kong using traditional methods such as spear phishing and water holes, has now expanded its operations to other countries, including countries in Southeast Asia, Central Asia, Balkans, Latin America and Africa.
The group’s latest endeavour involves the deployment of a new Linux backdoor, dubbed SprySOCKS, a variant of the previously identified Trochilus malware adapted for Linux systems. The group has also begun to target the public servers of its victims and exploit server-based zero-day vulnerabilities in Fortinet, GitLab, Progress Telerik, Zimbra Collaboration Suite, and Microsoft Exchange.
Cybersecurity researchers from Trend Micro obtained an encrypted file from Earth Lusca’s delivery server and successfully decrypted it, revealing SprySOCKS. This new backdoor variant displays characteristics reminiscent of Trochilus, with certain functions tailored for Linux environments. The name SprySOCKS reflects its swift behaviour and the inclusion of a Socket Secure (SOCKS) implementation.
Researchers identified two SprySOCKS payloads with different version numbers, suggesting ongoing development. Additionally, the interactive shell implementation resembles the Linux version of the Derusbi malware.
The structure of SprySOCKS’s command-and-control (C2C) protocol closely resembles that of the RedLeaves backdoor, known for infecting Windows. Earth Lusca appears to have adapted and modified the publicly available source code of Trochilus to create SprySOCKS, indicating their evolving capabilities.
Once infiltrated, Earth Lusca deploys a web shell and tools like Cobalt Strike for lateral movement, aiming to exfiltrate sensitive documents and email account credentials. Furthermore, the group has deployed advanced backdoors, including ShadowPad and the Linux version of Winnti, for long-term espionage.
The SprySOCKS backdoor comprises two components, with the loader identified as ‘mkmon’. Researchers found that Earth Lusca’s threat actor used a publicly available Linux ELF injector known as ‘mandibule’ as a basis for the malware loader. The loader copies itself and the encrypted payload to the
/usr/sbin/ directory and sets up persistence, enabling it to start as a service. If instructed, it self-deletes both files.
In analysing the decrypted second stage, researchers found that it was statically compiled with the Chinese-origin HP-Socket project, indicating potential Chinese government involvement. The communication with the C2C server is AES-ECB encrypted with the password hard-coded in the module. The client ID is generated from the MAC address and processor features.
The researchers managed to trace the SprySOCKS payload to a server operated by Earth Lusca, confirming the group’s responsibility. Notably, the payload carried a version number (1.3.6) and connected to a C&C domain, lt76ux[.]confenos[.]shop.
China-based hacker groups target countries that do not have a good relationship with the communist government. China’s Flax Typhoon hacker group is targeting Taiwanese organisations. Last year, it was reported that Chinese hackers snooped on Hong Kong networks for over a year. FBI and MI5 warned that China was trying to steal Western tech.