Title: Chinese Hacker ‘Earth Lusca’ Targets Government Agencies with New Linux Backdoor ‘SprySOCKS’
In a recent cybersecurity development, Chinese hacker group ‘Earth Lusca’ has been identified as the perpetrator behind attacks on government agencies around the world. The group has unleashed a new Linux backdoor called ‘SprySOCKS’ to target key government entities in Southeast Asia, Central Asia, and the Balkans, alongside other regions.
SprySOCKS is believed to have originated from the Trochilus open-source Windows malware, but it has been specifically modified to operate on Linux systems. By combining features of RedLeaves and Derusbi malware, Earth Lusca has created a potent tool for breaching the security of targeted organizations.
To gain initial access, the Chinese hacker group exploits n-day vulnerabilities and then drops Cobalt Strike beacons for remote access. As a variant of the Linux ELF injector ‘mandibule,’ SprySOCKS deploys a loader named ‘libmonitor.so.2.’ This loader allows SprySOCKS to function seamlessly within Linux systems.
Of particular concern is SprySOCKS’ utilization of the high-performance networking framework ‘HP-Socket’ and AES-ECB encryption for command and control (C2) communications. This sophisticated approach ensures that Earth Lusca’s malicious activities remain hidden while they collect system information, establish an interactive shell, manage network connections, configure SOCKS proxies, and perform basic file operations.
To further obfuscate their activities, SprySOCKS generates a unique client ID using a combination of MAC address and CPU features. This ensures that each attack appears distinct and difficult to trace back to Earth Lusca.
The ongoing development of SprySOCKS is evident through two known versions – v1.1 and v1.3.6 – indicating that Earth Lusca remains invested in refining and expanding their cyber capabilities.
Security experts are urging organizations, especially those operating within the government sector, to prioritize the application of security updates. This proactive approach can help prevent initial compromises from Earth Lusca’s SprySOCKS backdoor, thwarting potential attacks before they gain traction.
As the threat landscape continues to evolve, vigilance and timely implementation of security measures become crucial. By staying one step ahead, organizations can ensure the safety of their sensitive data and protect themselves from the growing threat presented by Earth Lusca and its latest creation, SprySOCKS.
“Infuriatingly humble tv expert. Friendly student. Travel fanatic. Bacon fan. Unable to type with boxing gloves on.”