A China-linked cyber espionage group known as “Earth Lusca” has recently been targeting government organizations in various regions, including Asia, Latin America, and more. This threat actor has gained attention for their new Linux backdoor called “SprySOCKS,” which appears to be inspired by multiple previously known malware tools.
The researchers at Trend Micro, who discovered and have been tracking SprySOCKS, found it to be a Linux variant of “Trochilus,” a Windows remote access Trojan (RAT) that had its code leaked and made publicly available in 2017. Trochilus has several functionalities, including the ability to remotely install and uninstall files, log keystrokes, capture screenshots, manage files, and edit registries. One notable feature of Trochilus is its capability for lateral movement. Upon analysis, Trend Micro determined that SprySOCKS originated from Trochilus and had reimplemented some of its functions specifically for Linux systems.
In addition to the Trochilus inspiration, Earth Lusca’s implementation of SprySOCKS’ interactive shell bears similarities to the Linux version of “Derusbi,” a family of RATs that have been evolving since 2008 and used by advanced persistent threat (APT) actors. The command-and-control (C2) infrastructure of SprySOCKS also resembles that of a second-stage RAT known as “RedLeaves,” utilized by threat actors engaged in cyber espionage campaigns over the past five years.
SprySOCKS, like other malware of its kind, incorporates multiple functionalities such as collecting system information, initiating an interactive shell, listing network connections, and uploading and exfiltrating files. Earth Lusca has been an elusive threat actor, observed by Trend Micro since mid-2021, targeting organizations primarily in southeast Asia, as well as central Asia, the Balkans, Latin America, and Africa. Analysis suggests that Earth Lusca is likely part of a cyber espionage cluster called “Winnti,” which supports Chinese economic objectives.
Earth Lusca’s targets have included government organizations, educational institutions, pro-democracy and human rights groups, religious groups, media organizations, and entities involved in COVID-19 research. The threat actor has shown particular interest in government agencies dealing with foreign affairs, telecommunications, and technology. While most of Earth Lusca’s attacks focus on cyber espionage, they have occasionally targeted cryptocurrency and gambling firms, indicating a possible financial motivation.
The threat actor has employed various tactics to gain access to their targets’ networks, such as spear-phishing, social engineering scams, and watering-hole attacks. Recently, they have become highly aggressive in targeting “n-day” vulnerabilities, which refer to disclosed flaws without an available patch, in web-facing applications. Earth Lusca has exploited several vulnerabilities this year, including an authentication bypass vulnerability in Fortinet’s FortiOS (CVE-2022-40684), a remote code execution (RCE) bug in Fortinet FortiNAC (CVE-2022-39952), and an RCE in Progress Telerik UI for ASP.NET AJAX (CVE-2019-18935). It is worth noting that other threat actors have also exploited these vulnerabilities, such as the China-backed threat actor behind the Volt Typhoon campaign.
Once inside a victim’s network, Earth Lusca uses server vulnerabilities to deploy a web shell and then install Cobalt Strike for lateral movement. The group aims to exfiltrate documents and email account credentials while deploying advanced backdoors like ShadowPad and the Linux version of Winnti for long-term espionage activities against their targets.
The discovery of Earth Lusca and their utilization of SprySOCKS highlights the evolving and persistent threats posed by cyber espionage actors. As organizations continue to enhance their cybersecurity measures, it is crucial to remain vigilant and promptly address vulnerabilities to mitigate the risks associated with these sophisticated attacks.