Cyber espionage: Earth Lusca uses new Linux malware

A China-linked cyber espionage actor known as "Earth Lusca" has begun using a Linux backdoor with features that appear to be inspired by previously known malware tools. The malware, named “SprySOCKS” by Trend Micro researchers, is a Linux variant of “Trochilus,” a remote access Trojan for Windows whose code was made public in 2017. SprySOCKS has features that allow threat actors to install and remotely uninstall files, log keystrokes, take screen captures, and manage files and registries. Furthermore, the malware also allows lateral movement on the network. Its code base indicates that it was developed from Trochilus, with several reimplementations for Linux systems.

Features of SprySOCKS malware

The version of SprySOCKS used by Earth Lusca features an interactive shell that appears to be inspired by the Linux version of Derusbi, an evolving family of RATs (Remote Access Trojans) used by advanced persistent threat groups since 2008. Additionally, the SprySOCKS command and control (C2) resembles that used by a second RAT called RedLeaves, which has been used in cyber espionage campaigns for more than five years. Like other similar malware, SprySOCKS is capable of collecting system information, launching an interactive shell, listing network connections, and uploading and exfiltrating files.

Threat actor Earth Lusca and his goals

Earth Lusca is a threat actor linked to China, believed to be part of the Winnti group, which is alleged to work on behalf of Chinese economic objectives. Since 2021, Earth Lusca has targeted government organizations in Asia, Latin America, and other regions. Their targets include government institutions, educational organizations, pro-democracy and human rights groups, religious organizations, media companies, and organizations involved in COVID-19 research. Trend Micro noted that Earth Lusca is especially interested in government entities involved in foreign relations, telecommunications and technology. Additionally, while most of Earth Lusca's attacks appear to be related to cyber espionage, the group also sometimes focuses on cryptocurrency and gambling companies, demonstrating a financial motivation.

Attack methods and exploited vulnerabilities

To gain access to victims' networks, Earth Lusca uses spear-phishing, social engineering, and collateral attacks. Throughout this year, Earth Lusca actors have also been actively targeting "n-day" vulnerabilities in web applications. “n-day” vulnerabilities are flaws that have been disclosed by the vendor but for which a patch is not yet available. Among the vulnerabilities exploited by Earth Lusca this year are CVE-2022-40684, an authentication bypass vulnerability in Fortinet's FortiOS and other technologies; CVE-2022-39952, a remote code execution (RCE) bug in Fortinet FortiNAC; and CVE-2019-18935, an RCE in Progress Telerik UI for ASP.NET AJAX. Earth Lusca exploits these vulnerabilities to infiltrate victims' networks and install advanced tools to conduct long-term espionage activities.