Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement


In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca. Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.

While monitoring the group, we managed to obtain an interesting, encrypted file hosted on the threat actor’s delivery server. We were able to find the original loader of the file on VirusTotal and successfully decrypted it. Interestingly, the decrypted payload is a Linux-targeted backdoor that we have never seen before. The main execution routine and its strings show that it originates from the open-source Windows backdoor Trochilus, with several functions being re-implemented for Linux systems. We named this new Linux variant SprySOCKS, referring to the swift behaviors of Trochilus and the new Socket Secure (SOCKS) implementation inside the backdoor.

Analysis of the SprySOCKS backdoor reveals some interesting findings. The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.

Read more…