Security Researchers Sound Alarm On A Startling Never-Before-Seen Linux Backdoor

trend micro security tracking chinese threat actor with new linux backdoor
Trend Micro has been tracking a threat-actor group since early 2021, dubbed Earth Lusca, which is purportedly based out of China. Since that initial discovery, researchers have found the group has utilized increasingly sophisticated infrastructure, tools, techniques, and procedures to advance its goals in cyberespionage and financial crimes worldwide. Now, the group has implemented a never-before-seen Linux backdoor, which appears to be a fork of an open-source Windows backdoor.

Researchers at Trend Micro posted a blog about Earth Lusca this week, outlining the expanding operations of the Chinese threat actor group. In the research team’s monitoring and tracking efforts, they came across an “interesting, encrypted file hosted on the threat actor’s delivery server.” This was not much use by itself, so the team turned to VirusTotal, where they found the original file loader, which allowed them to decrypt the payload, uncovering a Linux backdoor that had not been seen before.

messages trend micro security tracking chinese threat actor with new linux backdoor
SprySOCKS backdoor messages

With likely some reverse engineering, the Trend Micro team found that, based on the main execution routine and strings within the file, the new backdoor has roots in Trochilus, an older Windows backdoor that is open source on GitHub. However, some of the functions within the malware were redone for Linux, or the threat actors added new features like SOCKS, so it is not a full port per se. Given this, the researchers decided to dub this backdoor SprySOCKS, “referring to the swift behaviors of Trochilus and the new Socket Secure (SOCKS) implementation inside the backdoor.”

cve trend micro security tracking chinese threat actor with new linux backdoor
Earth Lusca-abused Vulnerabilities

This new bit of kit in Earth Lusca’s toolbox makes the group more potent in its efforts, which were already rather aggressive. It was reported that the group has been “frequently exploiting server-based N-day vulnerabilities” with a focus “primarily on countries in Southeast Asia, Central Asia, and the Balkans (with a few scattered attacks on Latin American and African countries).” Within these countries, the main targets have been government organizations involved in foreign affairs, technology, and telecommunications.

Provided clear evidence that threat actors are adapting and developing new tools, the researchers note, "It is important that organizations proactively manage their attack surface, minimizing the potential entry points into their system and reducing the likelihood of a successful breach.” Realistically, it is a matter of when, not if, regarding cybersecurity threats. As such, “Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and overall performance.” You do not want to be the victim of a new cybersecurity threat just because of bad security hygiene.