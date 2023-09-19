A cybercriminal group of Chinese origin known as Earth Lusca has been seen targeting government entities using a new type of never-before-seen Linux backdoor called SprySOCKS.

It is not the first time that a backdoor on Linux or other types of vulnerabilities has been discovered, but there is (unfortunately) a deep-rooted belief that this class of operating systems is “invincible”.

Earth Lusca, where this hacker group came from

Earth Lusca was documented first by Trend Micro in January 2022, describing adversary attacks against public and private sector entities in Asia, Australia, Europe, and North America.

Active since 2021, the group has relied on attacks of spear phishing and watering hole to carry out its cyber espionage plans. Some of the group’s activity overlaps with another threat cluster monitored by Recorded Future under the name RedHotel.

The cybersecurity firm’s latest findings show that Earth Lusca continues to be an active group, even expanding its operations to target organizations around the world in the first half of 2023.

Earth Lusca objectives and damage

Major targets include government departments involved in foreign affairs, technology and telecommunications. The attacks are concentrated in Southeast Asia, Central Asia and the Balkans.

The infection sequences begin with the exploitation of known security flaws in Fortinet servers (CVE-2022-39952 and CVE-2022-40684), GitLab (CVE-2021-22205), Microsoft Exchange Server (ProxyShell), Progress Telerik UI ( CVE-2019-18935) and Zimbra (CVE-2019-9621 and CVE-2019-9670) to release web shell and deploy Cobalt Strike for lateral movement.

“The group intends to steal documents and email account credentials, as well as deploy additional advanced backdoors such as ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against their targets,” they have declared security researchers Joseph C. Chen and Jaromir Horejsi.

The server used to distribute Cobalt Strike and Winnti was also observed hosting SprySOCKS, which has its roots in the open-source Trochilus backdoor for Windows; it is important to note that the use of Trochilus has been linked in the past to a Chinese hacking group called Webworm.

Loaded via a variant of an ELF injection component known as a mandible, SprySOCKS is capable of gathering system information, launching an interactive shell, creating and terminating a SOCKS proxy, and performing various file and directory operations.

Command and control (C2) communication consists of packets sent via the Transmission Control Protocol (TCP), reproducing a structure used by a Windows-based trojan called RedLeaves and which in turn would appear to be based on Trochilus.

At least two different versions of SprySOCKS (versions 1.1 and 1.3.6) have been identified to date, suggesting that the malware is continually modified by attackers to add new features.

“AND It is important for organizations to proactively manage their attack surface, minimizing potential entry points into their system and reducing the likelihood of a successful breach,” the researchers said, adding, “Companies should regularly patch and update their tools, software and systems to ensure their security, functionality and overall performance.”

We are not aware of how much malware exists on Linux

The growing presence of threats on Linux, such as that of Earth Lusca, alarms those who have started using one of its distributions to remain “immune from viruses” or “immune from cyber attacks”, unfortunately the reality is more complex.

The issue deserves to be explored further, but while Android and Windows, for example, have control systems (albeit “bland”) to detect threats, Linux distros usually have nothing.

Although it is possible to install ClamAV a Linux antivirus that works via terminal, which also had some problems some time ago; In summary, although most problems are the responsibility of the user, it doesn’t mean that, as many believe, “I install Linux and I’m immune to everything”, this is simply not the case, as demonstrated by the Eearth Lusca case, but the matter should be dealt with elsewhere.