Chinese APT Earth Lusca Adds SprySOCKs Backdoor to its Arsenal


A recently discovered Linux backdoor malware, named SprySOCKS, was observed in a cyberespionage campaign targeting government agencies in multiple countries. The campaign was attributed to the Chinese hacking group Earth Lusca.

More about SprySOCKS

In the campaign, the attackers used a Linux variant of the ELF injector called mandibule to drop SprySOCKS. 

  • The backdoor employs the ‘HP-Socket’ networking framework known for its high performance, while it employs AES-ECB encryption for securing its TCP communications with the C2 server.
  • This innovative malware possesses several key functions, including gathering system information, initiating an interactive shell that utilizes the PTY subsystem, enumerating network connections, and managing SOCKS proxy configurations.
  • Additionally, it is capable of executing fundamental file operations, which encompass uploading, downloading, listing, deleting, renaming, and creating directories.

Read more…