Chinese hackers exploit never-before-seen Linux backdoor

Some researchers have identified one backdoor are Linux previously unknown, used by hackers linked to the Chinese government.

This is a new backdoor that originates from one already known in the environment Windowsknown as Trochilus and first identified in 2015 by researchers at Arbor Networks (not Netscout).

Due to its nature, experts at the time characterized Trochilus as difficult for antiviruses to detect. The researchers of NHS Digital they later claimed that Trochilus was developed by APT10an advanced persistent threat group linked to the Chinese government also known as Stone Panda o MenuPass.

The source code of Trochilus, available for years on GitHubwas used by several campaigns and gave rise to the new backdoor identified in the Linux environment.

In this regard, the first contact occurred via Trend Microwith the detection of an encrypted binary file on a server known to be used by a group already monitored for a couple of years.

Unknown Linux backdoor: here’s what the experts discovered

Searching in VirusTotal the file name, have located an executable Linux file named mkmon. This executable contains credentials that can be used to decrypt the file and recover the payload original, leading researchers to conclude that mkmon is an installation file working on

Il malware Linux has ported several features present in Trochilus and combined them with a new implementation Socket Secure (SOCKS). Trend Micro researchers finally called their discovery SprySOCKS.

SprySOCKS implements the usual backdoor features, including collecting system information, opening a shell remota for controlling compromised systems, listing network connections, and creating a proxy based on the SOCKS protocol to upload files and other data between the compromised system and the one controlled by the attacker.

The command and control server that SprySOCKS connects to bears important similarities to a server used in a campaign with Windows malware known as RedLeaves. Like SprySOCKS, RedLeaves is also based on Trochilus.

Trend Micro is attributing SprySOCKS to a threat actor it has nicknamed Earth Luska. Researchers discovered the group in 2021 and documented its actions the following year.

Earth Lusca caters to organizations from all over the world, although it seems to prefer Asian governments. Use techniques social engineering to lure targets to sites that spread malware. In addition to showing interest in espionage activities, Earth Lusca appears financially motivated, as some activities also involve cyber-related platforms. gamble and at cryptocurrencies.


Please enter your comment!
Please enter your name here