SprySOCKS Linux malware used in cyber attacks

New SprySOCKS Linux malware used in cyber espionage attacks

An espionage-focused Chinese hacker group known as 'Earth Lusca' has been detected engaging in cyberattacks against government agencies across various nations. They have employed a new Linux-based backdoor called 'SprySOCKS' in their operations.

An examination conducted by Trend Micro revealed that this innovative backdoor has its roots in the Trochilus open-source Windows malware. Many of its functionalities have been adapted to function on Linux platforms.

However, it's worth noting that this malware seems to be a blend of various malicious software components. The communication protocol used by SprySOCKS for its command and control server (C2) bears similarities to RedLeaves, a Windows-based backdoor. Conversely, the implementation of the interactive shell appears to have been borrowed from Derusbi, a Linux-focused malware.

Earth Lusca's Campaign Against Government Entities

During the initial six months of the year, Earth Lusca maintained its operational activities, directing its cyberattacks at critical government organizations specializing in foreign affairs, technology, and telecommunications. Their targets extended across Southeast Asia, Central Asia, the Balkans, and globally.

Trend Micro has reported instances of Earth Lusca attempting to exploit multiple unauthenticated remote code execution vulnerabilities, some of which date back to the years between 2019 and 2022. These vulnerabilities affect publicly accessible endpoints on the internet.

These vulnerabilities are leveraged to deploy Cobalt Strike beacons, facilitating remote access to the compromised network. This access serves as a conduit for lateral movement within the network, enabling activities such as file exfiltration, pilfering of account credentials, and the deployment of additional payloads, such as ShadowPad.

In addition to this, the threat actors employ Cobalt Strike beacons to introduce the SprySOCKS loader, which is a variation of the Linux ELF injector known as "mandibule." This loader arrives on targeted systems disguised as a file named 'libmonitor.so.2.'

Researchers from Trend Micro have noted that the attackers modified mandibule to suit their purposes, although they did so in a somewhat hasty manner, inadvertently leaving behind debug messages and symbols.

To evade detection, the loader operates under the guise of "kworker/0:22," mimicking a Linux kernel worker thread. It then proceeds to decrypt the second-stage payload (SprySOCKS) and establishes persistent access on the compromised computer.

Capabilities of SprySOCKS Backdoor

The SprySOCKS backdoor leverages a high-performance networking framework known as 'HP-Socket' for its functionality, with its TCP communications to the command and control server (C2) being encrypted using AES-ECB.

Key features of this newly identified malware include:

1. System Information Gathering: SprySOCKS collects various system details, such as operating system information, memory status, IP address, group name, language settings, and CPU specifications.

2. Interactive Shell: It has the capability to initiate an interactive shell, utilizing the PTY subsystem.

3. Network Connection Enumeration: The malware can list active network connections.

4. SOCKS Proxy Management: It can manage SOCKS proxy configurations.

5. File Operations: SprySOCKS can perform fundamental file operations, including uploading, downloading, listing files, deleting, renaming, and creating directories.

Furthermore, the malware generates a unique client ID (referred to as the victim number) by combining the MAC address of the first listed network interface with certain CPU features. This ID is then transformed into a 28-byte hexadecimal string.

Trend Micro's research has identified two versions of SprySOCKS, namely v1.1 and v1.3.6, suggesting ongoing development efforts by the threat actors behind it.

Organizations are strongly advised to prioritize the application of available security updates to their publicly exposed server products. Doing so would effectively thwart initial compromise attempts by Earth Lusca and similar threats.