Linux Threat Report: Earth Lusca Deploys Novel SprySOCKS Backdoor in Attacks on Government Entities

by Jamieson Davis
on September 19, 2023

The threat actor Earth Lusca, linked to Chinese state-sponsored hacking groups, has been observed utilizing a new Linux backdoor dubbed SprySOCKS to target government organizations globally. 

As initially reported in January 2022 by Trend Micro, Earth Lusca has been active since at least 2021 conducting cyber espionage campaigns against public and private sector targets in Asia, Australia, Europe, and North America. Their tactics include spear-phishing and watering hole attacks to gain initial access. Some of Earth Lusca's activities overlap with another Chinese threat cluster known as RedHotel.

In new research, Trend Micro reveals Earth Lusca remains highly active, even expanding operations in the first half of 2023. Primary victims are government departments focused on foreign affairs, technology, and telecommunications. Attacks concentrate in Southeast Asia, Central Asia, and the Balkans regions. 

After breaching internet-facing systems by exploiting flaws in Fortinet, GitLab, Microsoft Exchange, Telerik UI, and Zimbra software, Earth Lusca uses web shells and Cobalt Strike to move laterally. Their goal is exfiltrating documents and credentials, while also installing additional backdoors like ShadowPad and Winnti for long-term spying.

The Command and Control server delivering Cobalt Strike was also found hosting SprySOCKS - an advanced backdoor not previously publicly reported. With roots in the Windows malware Trochilus, SprySOCKS contains reconnaissance, remote shell, proxy, and file operation capabilities. It communicates over TCP mimicking patterns used by a Windows trojan called RedLeaves, itself built on Trochilus.

At least two SprySOCKS versions have been identified, indicating ongoing development. This novel Linux backdoor deployed by Earth Lusca highlights the increasing sophistication of Chinese state-sponsored threats. Robust patching, access controls, monitoring for unusual activities, and other proactive defenses remain essential to counter this advanced malware.

The Trend Micro researchers emphasize that organizations must minimize attack surfaces, regularly update systems, and ensure robust security hygiene to interrupt the tactics, techniques, and procedures of relentless threat groups like Earth Lusca.

Jamieson Davis is a Linux enthusiast, and the Linux news editor for Linux Journal.

Load Disqus comments

Firstwave Cloud

 

Recent Articles

Fortifying Cyber Defense With the Power of Linux Intrusion Detection and Prevention Systems
Fortifying Cyber Defense With the Power of Linux Intrusion Detection and Prevention Systems
George Whittaker
Strengthening Linux Security by Auditing with OpenSCAP
Strengthening Linux Security by Auditing with OpenSCAP
George Whittaker
Rebuilding and Modifying Debian Packages
Rebuilding and Modifying Debian Packages
George Whittaker
Understanding Backup and Disaster Planning Solutions for Linux
Understanding Backup and Disaster Planning Solutions for Linux
George Whittaker
How to Build Resilience with Linux High Availability Clustering
How to Build Resilience with Linux High Availability Clustering
George Whittaker
Harnessing the Power of Open Source for Private Clouds: Ubuntu Cloud Infrastructure with OpenStack
Harnessing the Power of Open Source for Private Clouds: Ubuntu Cloud Infrastructure with OpenStack
George Whittaker