Analysis Summary

A new backdoor known as KTLVdoor has been seen being used by the Chinese-speaking threat actor known as Earth Lusca in a cyberattack that is aimed at an unidentified Chinese trading company.

The malware, which was not previously publicized, is built in Golang, making it a cross-platform threat that can infect Linux and Microsoft Windows computers. Attackers can perform a range of operations, such as file manipulation, remote port scanning, and command execution, by using this highly obfuscated malware, which poses as various system utilities.

According to the researchers, KTLVdoor poses as a variety of programs, such as sshd, Java, SQLite, bash, and edr-agent. The malware is disseminated as shared objects (.so) or dynamic-link libraries (.dll). The discovery of over 50 command-and-control (C&C) servers, all hosted at the Chinese company Alibaba, that are communicating with malware variants is perhaps the most unusual aspect of the activity cluster. This finding raises the possibility that the infrastructure may be shared with other Chinese threat actors.

Earth Lusca is believed to have been operating since at least 2021, planning cyberattacks against organizations in the public and commercial sectors in North America, Europe, Australia, and Asia. It's determined that it and other intrusion sets monitored as RedHotel and APT27 (also known as Budworm, Emissary Panda, and Iron Tiger) have certain tactical commonalities. A highly disguised malware, KTLVdoor is the newest addition to the group's arsenal. It takes its name from a marker named "KTLV" which is used in its configuration file to include various parameters required to meet its functions like the C&C servers to connect to.

After the malware is initialized, it continuously establishes communication with the C&C server to wait for more instructions to be sent to the compromised host. It can download and upload files, list all files on the system, start an interactive shell, execute shellcode, and start scanning with ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among other functions.

Nevertheless, little is known about the malware's distribution method or whether it has been used to target other organizations worldwide. Earth Lusca uses this new capability, but other threat actors who speak Chinese may also have access to it. Researchers question whether the entire appearance of this new malware and the C&C server could not be an early stage of testing new tooling, given that all C&C servers were using IP addresses from Alibaba, a Chinese supplier.

Impact

• File Manipulation
• Unauthorized Access
• Command Execution

Indicators of Compromise

MD5

• 4b58d00628020eb03b0c403dad3ee075
• 39b45d97de6c8005615207100f6337ec
• 0cc445a80a3a1156192fc079d575428f
• 86bdfac52da47b36ea424dc9c56a5889
• 2c594d0d92c8b8fbea43d1086dbb753e
• 3cebd6a8606a5695835753c81bbd4207
• c031204f94e47444e8d42b248ecfb4e2
• 5b4851a1f1576b87989b01de3854eb2f
• 83c1538484ea6efc121a682688dfb275
• 6b6879450a15fbb456e9aff557c3fc24
• 684cbe00b4556bbef6eb08920c70a560
• e258a426ad8deee72c51894e079763f0
• b5a35fe765749b2d8a75c28eb576e9f9
• 67511f3d0b44a4042ad58767bce62ea8
• 4c956590aa952f4be5b447ec4da3fbe7
• 818e4872ca21d372346f63106d7d8933
• 30cce97d37092f1f3e6dffe9cd90cbc6
• dc17be1cd14d4671be693887310c64a1
• c015cad1a96a6d5f528c11d6da9119e2
• 707a50c4fbca27f0893a61f96c035760
• 15fc2424f5a5e0550803eadcf13a8977
• 68a2e2d89adb68f9f16621066b566d85
• 8e0c4caebc4e39fb3850235252ebd55f
• 7082dca417197dbe37e2f9472b397be5
• ebb11df7f99e63983b31878db65490a6

SHA-256

• 9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99
• 6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525
• 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
• 7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0
• 12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2
• dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641
• b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2
• 99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404
• 3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345
• c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d
• a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848
• 01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267
• 1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68
• 3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb
• aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3
• c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132
• 1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25
• d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1
• 644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703
• 0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216
• 18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670
• d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0
• aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e
• fcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7
• fd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1

SHA1

• 774bb1f42c7b6d019ecc45e8d69c1edc60f9f1d8
• 2cbf463c9d0ea08a076eb2afbc1dc41007968629
• 8a403a154a5835296cf812cdbbab50c445e9758d
• b0f58a9871d0a6d26e9490be10ffc6b1ed01e46d
• 0e7e65a7076b4a81123adda9fbb9531a250da531
• 6c05112ff2503067ee49797a4c27b143b3b66d40
• ed859db9ceb491a0dd91f9207e5ab2a66ef05643
• 1121c3a394af25a2dc33382153ef6f34de642439
• 08ee54a3159c593e206a7e00b816fe9b570ecba3
• c1b864d358e9c8c90e0e5ac0014c1c22f36ea0aa
• 2796e519fcfb548f17d635ae75318a42d98fa7bc
• 084d2e1df3f92e5d91ab8195336523481ac586f0
• a1e47ca2ea083364f640678df047b5de49c4f649
• 864c430f6746bf63be4693c89bb56aa62fd0e647
• c32507dcba979d477d3fa232395643c911b5ee0e
• e7e966afd8587fd7c349560bbcac50db78d4b617
• dc2d1dafdba15ee937d8b8b25198dd830d123847
• a6b37e239aaed421ffac023406483d2c8a14e932
• 63f2890ae50a972fcd72f920359f6e62ac6fdfe6
• 4129aad31baead2c2a351dc0e41cfbffb48465f0
• 20eaf51d2a01e2b5cb3957e3b1166c7f4220d2a0
• 1301e2e6d2a44e56a7dddaf4081d4a6c89f7ced5
• 10e5de6777d66536bb4bbb454633dd2778e32368
• ce2f3e8470610d901f51bb863898d5363207e356
• d1bf93f9e7465b903d4e818b61d0b7d7ce443ca6

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Identify and isolate compromised systems or hosts that are confirmed to be affected by the malware. Disconnect them from the network to prevent further communication with command-and-control servers.
• Regularly update and patch software and systems to mitigate vulnerabilities.
• Conduct regular security audits and penetration testing to identify and address weaknesses.
• Review and reset user account passwords, especially those with elevated privileges, to prevent unauthorized access. Disable or remove any compromised accounts.
• Ensure secure storage of backups and sensitive information with access restricted to authorized personnel only.
• Implement strict access controls and the principle of least privilege (PoLP) to restrict user and system access rights. This reduces the attack surface.
• Continuously monitor command-and-control (C2) traffic patterns and communications to identify anomalies and block malicious C2 activity.
• Train employees and staff on cybersecurity best practices and how to recognize phishing attempts and social engineering tactics.
• Develop a robust incident response plan that outlines steps to take in the event of a breach. This should include procedures for containment, investigation, and notification of affected parties.