Rewterz Threat Alert – Chinese APT, Earth Lusca, Adopts SprySOCKS Linux Malware to Bolster Its Cyber Arsenal – Active IOCs

Severity

High

Analysis Summary

Researchers have discovered an encrypted file hosted on a server while monitoring the Chinese malicious group Earth Lusca. This has led to the discovery of a Linux backdoor that was previously unknown, now tracked as SprySOCKS. The code is based on the open-source Windows backdoor called Trochilus, which has many of its functions rewritten so it can run on Linux systems.

There have been two SprySOCKS samples detected with different versions, suggesting that the backdoor is still under development. The researchers think that the implementation of the interactive shell is probably based on the Derusbi malware, especially its Linux variant.

“The structure of SprySOCKS’s command-and-control (C&C) protocol is similar to one used by the RedLeaves backdoor, a remote access trojan (RAT) reported to be infecting Windows machines. It consists of two components, the loader and the encrypted main payload. The loader is responsible for reading, decrypting, and running the main payload,” the researchers mentioned

The Earth Lusca group has been active since the start of 2023 and its main targets are organizations and government departments working for foreign affairs, telecommunications and technology. Their primary focus is on the Southeast Asia, Central Asia and the Balkans region. The group tries to exploit server-based N-day vulnerabilities on public-facing servers, like CVE-2022-40684, CVE-2022-39952, CVE-2021-22205, CVE-2019-18935, CVE-2019-9670 and CVE-2019-9621.

The group exploits these vulnerabilities to gain access to the target’s network, then it places a web shell and installs Cobalt Strike to move laterally across the network. Their goal is to harvest email account credentials and exfiltrate documents from the compromised systems. Researchers have also observed the malicious actors using backdoors like ShadowPad.

HP-Socket project, a network framework with high performance originated in China, is compiled with SprySOCKS. It also uses AES-ECB encryption for communicating with C2 servers.

The report says, “The name of the loader’s process is set to “kworker/0:22” by the prctl command. Normally, kworker is a placeholder process for kernel worker threads. In this scenario, however, the “kworker”name has nothing to do with kernel worker threads. Instead, the loader abuses this name just to avoid suspicion when the user lists all running tasks via commands such as ps or top.”

The backdoor malware is capable of executing multiple commands. It can collect system information, list network connections, start up an interactive shell, upload/download files, create SOCKS proxy, etc. It expands the Earth Lusca group’s arsenal, making the group very dangerous. Recently, the group has been actively and aggressively attacking public-facing servers of its victims by exploiting known vulnerabilities.

Organizations must take a proactive approach to control their attack surface, aiming to minimize potential entry points into their systems and thereby decreasing the likelihood of a successful breach. It is essential for businesses to consistently implement patches and keep their tools, software, and systems up to date. This practice ensures not only enhanced security but also maintains optimal functionality and overall performance.

Impact

• Unauthorized Access
• Credential Theft
• Sensitive Data Theft

Indicators of Compromise

MD5

• 14bf1dc224b278fc23ca82ca2568d39d
• ac204bc653d6e49eea093b01ba3eaa60

SHA-256

• 65b27e84d9f22b41949e42e8c0b1e4b88c75211cbf94d5fd66edc4ebe21b7359
• f8ba9179d8f34e2643ee4f8bc51c8af046e3762508a005a2d961154f639b2912

SHA-1

• aeb5cfdcfd9d9b0b947e11153dab9e7ec423ca3e
• 8e845431841378690f0a6cce850aac01d561d554

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Identify and isolate compromised systems or hosts that are confirmed to be affected by the malware. Disconnect them from the network to prevent further communication with command-and-control servers.
• Regularly update and patch software and systems to mitigate vulnerabilities.
• Conduct regular security audits and penetration testing to identify and address weaknesses.
• Review and reset user account passwords, especially those with elevated privileges, to prevent unauthorized access. Disable or remove any compromised accounts.
• Ensure secure storage of backups and sensitive information with access restricted to authorized personnel only.
• Implement strict access controls and the principle of least privilege (PoLP) to restrict user and system access rights. This reduces the attack surface.
• Continuously monitor command-and-control (C2) traffic patterns and communications to identify anomalies and block malicious C2 activity.
• Train employees and staff on cybersecurity best practices and how to recognize phishing attempts and social engineering tactics.
• Develop a robust incident response plan that outlines steps to take in the event of a breach. This should include procedures for containment, investigation, and notification of affected parties.