Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, September 20, 2023, 10:40 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Chinese APT Deploys New Linux Backdoor

Trend Micro researchers have published a research paper on a new and evolving Linux backdoor which they discovered while monitoring the activities of a Chinese government-linked threat actor they track as 'Earth Lusca'. The group has primarily engaged in cyber-espionage against targets in government and education, some religious movements, and pro-democracy and human rights groups in Hong Kong - with a side interest in criminal activities against gambling and cryptocurrency sites, presumably in order to be self-funding.

In June, the researchers discovered an encrypted file on Earth Lusca's delivery server, and after finding the related loader on VirusTotal, they were able to decrypt it to reveal a previously-unknown Linux-targeted backdoor. Analysis of the main execution routine and its strings reveal it to be derived from Trochilus, an open-source Windows backdoor, with a number of functions obviously rewritten to work on Linux. They named this variant 'SprySOCKS' -a reference to the way it combines the rapid operation of Trochilus with a new implementation of the SOCKS multi-protocol proxy protocol.

To date, two versions of SprySOCKS have been found, with two different version numbers. Its interactive shell seems to derive from the Linux version of the Derusbi malware, while its command and control protocol is similar to that of the ReadLeaves remote access trojan for Windows targets which is reportedly also derived from Trochilus. SprySOCKS also has a similar structure, consisting of two components - a loader in an ELF executable named 'mkmon' and an encrypted main payload in a file called libmonitor.so.2.

Like the SprySOCKS backdoor itself, the loader was not developed from scrach, but is based on a publicly-available ELF process injector called 'mandibule' (the French word for mandible or lower jaw). The SprySOCKS programmers adapted it by removing the process injection code, replacing it with the code to download and decrypt their backdoor.

SprySOCKS itself makes used of a high-performance network library, developed in China and called HP-Socket, to implement its encrypted binary C2 protocol. The protocol has commands for collecting system information, listing network connections, creating a SOCKS proxy, transferring files, some basic file operations and, mostly importantly, starting an interactive shell.

Earth Lusca is using SprySOCKS to aggresively target the Internet-facing servers of its victims - primarily government foreign affairs offices, tech companies and telcos in SE Asia, Central Asia and the Balkans. It uses a number of recent vulnerabilities to infect Fortinet and other perimeter devices - presumably to reconnoiter and then establish a SOCKS proxy which can be used to then forward traffic from internal victims using ReadLeaves and similar tools such as web shells and Cobalt Strike for lateral movement.

The Trend Micro report has a full analysis, recommendations for mitigation (primarily proactive patch management) and IOC's.

Chen, Josoph C and Jaromir Horejsi, Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement, research paper, 18 September 2023. Available online at https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html.


Upcoming Courses

  • SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
  • SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: