Researchers have recently discovered a new malware strain known as KTLVdoor, attributed to the Chinese-speaking threat actor group Earth Lusca. This sophisticated backdoor, developed in Golang, is capable of targeting both Windows and Linux systems, expanding the group’s repertoire of tools and tactics.
The KTLVdoor malware operates by disguising itself as various system utilities, allowing malicious actors to conduct a range of harmful activities, including manipulating files, executing commands, and scanning remote ports. Its use of advanced encryption and obfuscation techniques complicates malware analysis, making it difficult for security experts to decipher its inner workings.
Investigations by researchers from Kaspersky’s SecureList have linked the KTLVdoor malware to more than 50 command and control (C&C) servers based in China and hosted under Alibaba. Although the samples of the malware were definitively linked to Earth Lusca, researchers were unable to ascertain whether these servers were exclusively used by the group or shared with other cybercriminal organizations.
The malware is distributed in the form of a dynamic library masquerading as common system tools like sshd, java, and bash. Once a system is infected, the attackers gain complete control over the compromised environment. The malware initiates communication with the C&C server, employing GZIP compression and AES-GCM encryption to send and receive messages, adding to its complexity and evasiveness.
Every message sent between the infected system and the C&C server contains various fields, such as sender, receiver, token, route, task ID, task status, task type, and sub-task type. The malware includes multiple handlers for processing tasks received from the server, including file download, upload, management, interactive shell, network scanning, and process management.
The configuration file of the malware is stored in a custom TLV-like format, with attack parameters and corresponding values encoded in Base64 format and XOR-encrypted for added security. The sophistication of the encryption and obfuscation techniques utilized by the KTLVdoor malware sets it apart from other tools employed by Earth Lusca, posing a significant challenge for security researchers attempting to analyze and combat its effects.
The emergence of the KTLVdoor backdoor highlights the escalation in Earth Lusca’s cyber activities, showcasing a rapid advancement in sophistication and scale within their operational infrastructure. While the motivations behind the group’s actions remain unclear, researchers have observed a history of Chinese-speaking threat actors targeting domestic companies, with groups like Iron Tiger and Void Arachne employing similar tools against Chinese-language speakers.
These cyber campaigns blur the boundaries of traditional criminal operations, showing that national borders do not necessarily define the limits of cyber attacks. Ongoing monitoring of Earth Lusca’s activities is crucial, as researchers anticipate further deployments and insights that may shed light on the group’s intentions and potential targets.