The Invasion from Within: Unmasking China’s Linux Backdoor Espionage Campaign

China-Linked Cyber Espionage Actor “Earth Lusca” Expands Operations with Linux Backdoor

The Discovery of SprySOCKS

Researchers at Trend Micro have identified a new cyber espionage campaign carried out by the China-linked threat actor “Earth Lusca.” The group, which has been active since at least 2021, has been targeting government organizations in Asia, Latin America, and other regions. What makes this campaign remarkable is the use of a Linux backdoor called SprySOCKS.

SprySOCKS is a Linux variant of Trochilus, a Windows remote access Trojan (RAT) that first became publicly available in 2017 after its source code was leaked. The Linux variant of Trochilus, according to Trend Micro, carries out several functions, including remote file installation and uninstallation, keystroke logging, screen captures, file management, and registry editing. One key capability of the malware is its ability to enable lateral movement within targeted systems.

Inspiration from Multiple Malware Tools

Upon analysis, researchers discovered that SprySOCKS originated from Trochilus and had several of its functions reimplemented for Linux systems. Additionally, the interactive shell of SprySOCKS appears to have been inspired by the Linux version of Derusbi, a family of RATs that advanced persistent threat actors have been using since 2008. The similarities in the command-and-control (C2) infrastructure used by Earth Lusca and the one associated with RedLeaves, a second-stage RAT, suggest potential connections.

SprySOCKS incorporates various functions commonly found in this class of malware, such as collecting system information, initiating an interactive shell, listing network connections, and uploading and exfiltrating files. These capabilities enable Earth Lusca to gather sensitive information, gain deeper access to compromised systems, and perform data exfiltration.

Earth Lusca: An Elusive Threat Actor

Earth Lusca is a cyber espionage group that has proven to be somewhat elusive. Trend Micro researchers have been monitoring the group since mid-2021, primarily observing its activities in Southeast Asia. However, recent developments indicate that the group has expanded its operations to Central Asia, the Balkans, Latin America, and Africa.

According to the evidence available, Earth Lusca is believed to be part of the Winnti cluster of cyber espionage groups, which are suspected to work in support of Chinese economic objectives. The group’s targets range from government and educational institutions to pro-democracy and human rights groups, religious organizations, media outlets, and entities involved in COVID-19 research. Government agencies involved in foreign affairs, telecommunications, and technology have particularly attracted Earth Lusca’s attention. Interestingly, the group has also targeted cryptocurrency and gambling firms, indicating possible financial motivations.

The tactics used by Earth Lusca to infiltrate target networks include spear-phishing, social engineering scams, and watering-hole attacks. In recent months, the group has aggressively targeted “n-day” vulnerabilities in web-facing applications. These vulnerabilities are flaws that have been disclosed by the vendor but do not yet have a patch available. Earth Lusca has been exploiting vulnerabilities such as CVE-2022-40684, CVE-2022-39952, and CVE-2019-18935, which have also been targeted by other threat actors.

The Implications and Recommendations

The discovery of Earth Lusca’s use of a Linux backdoor demonstrates the group’s adaptability and sophistication. The expansion of its operations beyond Asia raises concerns about the global reach and potential impact of its cyber espionage activities. It is evident that the group is determined to infiltrate target networks, exfiltrate sensitive information, and maintain persistent access for future espionage activities.

This discovery serves as a reminder of the importance of robust cybersecurity measures for organizations and individuals alike. To mitigate the risk of falling victim to advanced persistent threats like Earth Lusca, the following recommendations should be considered:

1. Maintain up-to-date security patches: Regularly update all software and applications to ensure vulnerabilities are addressed promptly.

2. Implement multi-factor authentication: Enable multi-factor authentication wherever possible to add an additional layer of security to access sensitive systems and accounts.

3. Employee training and awareness: Educate employees about the risks of social engineering attacks, phishing, and other common tactics used by threat actors. Regular training sessions and awareness campaigns can help mitigate the human factor in cyber attacks.

4. Network segmentation and access controls: Implement strict network segmentation and access controls to limit lateral movement in the event of a breach. This can help contain the impact and prevent attackers from freely roaming within the network.

5. Intrusion detection and monitoring: Deploy an effective intrusion detection system (IDS) and maintain comprehensive network monitoring to identify and respond to suspicious activity promptly.

The discovery of SprySOCKS further underscores the need for heightened vigilance against cyber threats. As Earth Lusca continues to evolve its tactics and expand its operations, organizations and individuals must remain proactive in strengthening their defenses and staying informed about the latest cybersecurity developments.