Earth Lusca Group Launches Cyber Espionage Campaign with New Linux Malware
'SprySOCKS' Attacks Unleashed
The researchers first discovered an encrypted file on a server controlled by Earth Lusca. Upon further investigation, they uncovered a previously unknown Linux backdoor named SprySOCKS. The malware is believed to be based on the open-source Windows backdoor Trochilus, with many functions rewritten to target Linux systems. The name SprySOCKS is a combination of Trochilus and the backdoor's new Socket Secure (SOCKS) implementation.
Two versions of SprySOCKS have been detected, indicating that the backdoor is still in development. Trend Micro suggests that the interactive shell implementation is likely based on the Linux variant of the Derusbi malware.
The command-and-control (C&C) protocol structure used by SprySOCKS bears similarities to the one employed by the RedLeaves backdoor, which infects Windows machines. The backdoor consists of two components: the loader and the encrypted main payload. The loader is responsible for reading, decrypting, and executing the main payload.
Earth Lusca has remained active throughout the first half of 2023, primarily targeting government departments involved in foreign affairs, technology, and telecommunications in Southeast Asia, Central Asia, and the Balkans.
The group focuses on exploiting server-based N-day vulnerabilities on public-facing servers. Some of the vulnerabilities targeted by Earth Lusca include an authentication bypass vulnerability (CVE-2022-40684) in Fortinet FortiOS, FortiProxy, and FortiSwitchManager, as well as an unauthenticated remote code execution (RCE) vulnerability (CVE-2022-39952) in Fortinet FortiNAC.
The discovery of SprySOCKS highlights the increasing sophistication and evolving tactics of China-linked threat actors. Researchers and organizations must remain vigilant and continually update their cybersecurity defenses to protect against such threats.
As always, experts advise that it is essential to regularly patch and update systems with the latest security fixes.
Additionally, organizations should implement robust security measures such as multi-factor authentication, network segmentation, and intrusion detection systems to mitigate the risk of cyber attacks.
By staying proactive and informed about the latest trends and tools employed by threat actors, individuals and organizations can ensure that they are adequately prepared and protected against cyber threats.