The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS.
Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America.
Active since 2021, the group has relied on spear-phishing and watering hole attacks to pull off its cyber espionage schemes. Some activities of the group overlap with another threat cluster tracked by Recorded Future under the name RedHotel.
The latest findings from the cybersecurity firm show that Earth Lusca continues to be an active group, even expanding its operations to target organizations across the world during the first half of 2023.
Primary targets include government departments that are involved in foreign affairs, technology, and telecommunications. The attacks are concentrated in Southeast Asia, Central Asia, and the Balkans.
Infection sequences start with the exploitation of known security flaws in public-facing Fortinet (CVE-2022-39952 and CVE-2022-40684), GitLab (CVE-2021-22205), Microsoft Exchange Server (ProxyShell), Progress Telerik UI (CVE-2019-18935), and Zimbra (CVE-2019-9621 and CVE-2019-9670) servers to drop web shells and deliver Cobalt Strike for lateral movement.
"The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets," security researchers Joseph C. Chen and Jaromir Horejsi said.
The server used to deliver Cobalt Strike and Winnti has also been observed to host SprySOCKS, which has its roots in the open-source Windows backdoor Trochilus. It's worth noting that the use of Trochilus has been tied to a Chinese hacking crew called Webworm in the past.
Loaded by means of a variant of an ELF injector component known as mandibule, SprySOCKS is equipped to gather system information, start an interactive shell, create and terminate SOCKS proxy, and perform various file and directory operations.
The interactive shell implementation in SprySOCKS is likely inspired by the Linux version of a fully-featured backdoor named Derusbi (aka Photo) that's known to be employed by multiple Chinese threat activity clusters since at least 2008.
Command-and-control (C2) communication consists of packets sent via the Transmission Control Protocol (TCP) protocol, mirroring a structure used by a Windows-based trojan referred to as RedLeaves, itself said to be built on top of Trochilus.
At least two different samples of SprySOCKS (versions 1.1 and 1.3.6) have been identified to date, suggesting that the malware is being continually modified by the attackers to add new features.
"It is important that organizations proactively manage their attack surface, minimizing the potential entry points into their system and reducing the likelihood of a successful breach," the researchers said.
"Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and overall performance."