This Cybersecurity Threat advisory discusses a Chinese threat actor known as “Earth Lusca” has been observed targeting government entities. They are using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the group’s attacks against public and private sector entities across Asia, Australia, Europe, and North America.
What is the threat?
The previously unknown Linux backdoor, SprySOCKS, originates from the Trochilus open-source Windows malware. Many of its functions being ported to work on Linux systems. Earth Lusca primarily targets government departments involved in foreign affairs, technology, and telecommunications. Infection sequences start with the exploitation of known security flaws in public-facing Fortinet (CVE-2022-39952 and CVE-2022-40684), GitLab (CVE-2021-22205), Microsoft Exchange Server (ProxyShell), Pregress Telerik UI (CVE-2019-18935), and Zimbra (CVE-2019-9621 and CVE-2019-9670) servers to drop web shells and deliver Cobalt Strike for lateral movement. So far, researchers have detected two SprySOCKS samples with different version numbers, implying the backdoor is still under development.
Why is it noteworthy?
The malware appears to be a mixture of malware as its’ command and control (C2) communication protocol is like RedLeaves, a Windows backdoor, while the implementation shell appears to have been derived from Derusbi, a Linux malware. Loaded by means of a variant of an ELF injector component knows as mandibule, SprySOCKS is equipped to gather system information, start an interactive shell, create and terminate SOCKS proxy, and perform various file and directory operations.
What is the exposure or risk?
The introduction of SprySOCKS expands Earth Lusca’s Linux arsenal. Recently, the group has been highly aggressive in targeting the public-facing servers of its victims by exploiting known vulnerabilities. The group uses vulnerabilities to drop Cobalt Strike beacons, which allow remote access to the breached network. Aside from using Cobalt Strike for exfiltrating files, stealing account credentials, and deploying additional payloads, the group also uses them to drop the SprySOCKS loader, arriving on targeted machines in the form of a file named “libmonitor.so.2.” The loader runs under the name “kworker/0:22” to avoid detection. It resembles a Linux kernel worker thread, decrypts the second-stage payload (SprySOCKS), and establishes persistence on the infected computer.
What are the recommendations?
- Proactively manage your attack surface, minimizing the potential entry points into your system and reducing the likelihood of a successful breach.
- Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and performance.
- Advanced and flexible security solutions, such as Barracuda XDR, are essential in protecting organizations from Earth Lusca and other threat actors.