China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign

"Earth Lusca," a China-linked cyber espionage actor that's been actively targeting government organizations in Asia, Latin America, and other regions since at least 2021 has begun using a Linux backdoor with features that appear inspired from multiple previously known malware tools.

The malware that researchers at Trend Micro discovered and are tracking as "SprySOCKS," is firstly a Linux variant of "Trochilus," a Windows remote access Trojan (RAT) whose code got leaked and became publicly available in 2017.

Linux Variant of Windows Backdoor

Trochilus has multiple functions, which include allowing threat actors to remotely install and uninstall files, log keystrokes, and do screen captures, file management, and registry editing. One core feature of the malware is its ability to enable lateral movement. According to Trend Micro, SprySOCKS' main execution routine and strings show that it originated from Trochilus and had several of its functions reimplemented for Linux systems.

In addition, the Earth Lusca implementation of SprySOCKS' interactive shell suggests it was inspired by the Linux version of Derusbi, a continuously evolving family of RATs that advanced persistent threat actors have been using since 2008. Also, SprySOCKS' command-and-control (C2) infrastructure resembles one that threat actors associated with a second-stage RAT called RedLeaves have used in cyber espionage campaigns for more than five years, Trend Micro said.

Like other malware of its ilk, SprySOCKS incorporates multiple functions including collecting system information, initiating an interactive shell, listing network connections, and uploading and exfiltrating files. 

But what makes SprySOCKS unique among Linux backdoors is its launching mechanism, Trend Micro researchers Joseph Chen and Jaromir Horejsi say. According to the two researchers, the main backdoor payload is encrypted on a disk and will only present in memory after the loader has decrypted and injected to itself. It is a mechanism that APT groups often use to target Windows systems, but not so much on Linux systems, the two researchers say.

Elusive Threat Actor

Earth Lusca is a somewhat elusive threat actor that Trend Micro has observed since mid-2021, targeting organizations in southeast Asia and more recently in central Asia, the Balkans, Latin America, and Africa. Evidence suggests that the group is part of Winnti, a loose cluster of cyber espionage groups believed to be working on behalf of, or in support of, Chinese economic objectives.

Earth Lusca's targets have included government and educational institutions, pro-democracy and human rights groups, religious groups, media organizations, and organizations conducting COVID-19 research. It has been especially interested in government agencies involved in foreign affairs, telecommunications, and technology. At the same time, while most of Earth Lusca's attacks appear to be cyber espionage related, on occasion the adversary has gone after cryptocurrency and gambling firms as well, suggesting it's also financially motivated, Trend Micro said.

Chen and Horejsi say that available telemetry suggests Earth Lusca might have potentially targeted as many as 150 organizations since the beginning of the year. Some of these have involved US targets, they note, pointing to a campaign earlier this year where the threat actor exploited multiple vulnerabilities in the Zimbra Collaboration Suite to breach enterprise networks, and another that impacted a state legislature.

In many of its attacks, the threat actor has used spear-phishing, common social engineering scams, and watering-hole attacks to try and get a foothold on a target network. Since the beginning of this year, Earth Lusca actors have also been aggressively targeting so-called "n-day" vulnerabilities in Web-facing applications to infiltrate victim networks. An n-day vulnerability is a flaw that a vendor has already disclosed but for which no patch is currently available. "Recently, the threat actor has been highly aggressive in targeting the public-facing servers of its victims by exploiting known vulnerabilities," Trend Micro said.

Among the many such flaws that Earth Lusca has been observed exploiting this year are CVE-2022-40684, an authentication bypass vulnerability in Fortinet's FortiOS and other technologies; CVE-2022-39952, a remote code execution (RCE) bug in Fortinet FortiNAC; and CVE-2019-18935, an RCE in Progress Telerik UI for ASP.NET AJAX. Other threat actors have exploited these bugs as well. CVE-2022-40684, for instance, is a flaw that a likely China-backed threat actor used in a widespread cyber espionage campaign dubbed "Volt Typhoon," targeting organizations across multiple critical sectors including government, manufacturing, communication, and utilities.

"Earth Lusca takes advantage of server vulnerabilities to infiltrate its victim's networks, after which it will deploy a web shell and install Cobalt Strike for lateral movement," Trend Micro said in its report. "The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets."

This story was updated on Sept. 20 with comments from Trend Micro researchers Joseph Chen and Jaromir Horejsi.