A recently discovered Linux backdoor malware, named SprySOCKS, was observed in a cyberespionage campaign targeting government agencies in multiple countries. The campaign was attributed to the Chinese hacking group Earth Lusca.
More about SprySOCKS
In the campaign, the attackers used a Linux variant of the ELF injector called mandibule to drop SprySOCKS.
- The backdoor employs the ‘HP-Socket’ networking framework known for its high performance, while it employs AES-ECB encryption for securing its TCP communications with the C2 server.
- This innovative malware possesses several key functions, including gathering system information, initiating an interactive shell that utilizes the PTY subsystem, enumerating network connections, and managing SOCKS proxy configurations.
- Additionally, it is capable of executing fundamental file operations, which encompass uploading, downloading, listing, deleting, renaming, and creating directories.