A cyber threat group with links to China, known as Earth Lusca, has been discovered attacking government bodies utilizing a new Linux backdoor named SprySOCKS. Earth Lusca was first chronicled by Trend Micro in the early part of 2022, reporting on the group's cyber attacks on both public and private sector organizations across continents including Asia, Australia, Europe, and North America. The group, operational since 2021, employs spear-phishing and watering hole attacks as part of their cyber espionage operations. Some of Earth Lusca's activities have similarities with another threat group tracked by Recorded Future, known as RedHotel.
Latest insights from cybersecurity experts indicate Earth Lusca remains an active threat, with its operations now encompassing targets around the globe as of the first half of 2023. The group's primary targets are government departments involved in foreign affairs, technology, and telecommunications. The geographical focus of these attacks is Southeast Asia, Central Asia, and the Balkans. The attack sequence begins with the exploitation of known vulnerabilities in public-facing servers such as Fortinet (CVE-2022-39952 and CVE-2022-40684), GitLab (CVE-2021-22205), Microsoft Exchange Server (ProxyShell), Progress Telerik UI (CVE-2019-18935), and Zimbra (CVE-2019-9621 and CVE-2019-9670) to install web shells and deliver Cobalt Strike for lateral movement.
Joseph C. Chen and Jaromir Horejsi, security researchers, stated, "The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets." The server used to distribute Cobalt Strike and Winnti has also been found to host SprySOCKS, which originates from the open-source Windows backdoor Trochilus. Notably, the use of Trochilus has been connected to a Chinese hacking group called Webworm in previous instances.
SprySOCKS, loaded through a variant of an ELF injector component known as mandibule, is designed to collect system information, initiate an interactive shell, create and terminate a SOCKS proxy, and carry out various file and directory operations. The command-and-control (C2) communication involves packets sent through the Transmission Control Protocol (TCP) protocol, reflecting a structure used by a Windows-based trojan named RedLeaves, which is believed to have been built on top of Trochilus. Two different samples of SprySOCKS (versions 1.1 and 1.3.6) have been identified so far, indicating that the malware is being regularly updated by the attackers to incorporate new features.
In their final remarks, the researchers emphasized, "It is important that organizations proactively manage their attack surface, minimizing the potential entry points into their system and reducing the likelihood of a successful breach. Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and overall performance."