HQ/EMEAFind out how we can help your business
The notorious Chinese hacker group Earth Lusca has employed a sophisticated Linux malware called SprySOCKS to execute cyber espionage operations that target government agencies worldwide.
The Linux malware SprySOCKS allegedly originated from the Trochilus open-source Windows malware. Its malware developers adapted many of its functions from the Windows variant to infiltrate Linux systems.
However, this malware appears to be a combination of multiple malicious tools, as its command-and-control server communication protocol has similarities to RedLeaves, a Windows-based backdoor. At the same time, the developers obtained its interactive shell implementation to a Linux malware variant called Derusbi.
This Chinese-speaking threat group has been active throughout the first half of this year and targeted government organisations involved in foreign affairs, technology, and telecommunications sectors across Southeast Asia, Central Asia, the Balkans, and worldwide.
Additionally, they have exploited several unauthenticated RCE flaws from 2019 to 2022 to infiltrate internet-exposed endpoints. They launch Cobalt Strike beacons, granting them remote access to compromised networks. These beacons could also provide lateral movement, file exfiltration, credential theft, and the deployment of additional payloads, such as ShadowPad.
Earth Lusca launches the SprySOCKS loader.
Earth Lusca deploys the SprySOCKS loader, a Linux ELF injector called mandibule, to enhance its capabilities. It arrives on targeted devices by disguising itself as ‘libmonitor.so.2.’
However, the threat actors could have carelessly developed the malware without debugging messages and symbols. The loader operates as “kworker/0:22,” impersonating a Linux kernel worker thread, decrypts the second-stage payload (SprySOCKS), and establishes persistence on the infected device.
SprySOCKS utilises the HP-Socket high-performance networking framework for its campaigns and installs secure communication with the command-and-control server using AES-ECB encryption.
Lastly, the malware’s primary abilities include system information collection, initiating an interactive shell, managing SOCKS proxy configurations, sorting network connections, and running various file operations.
Currently, two known versions of SprySOCKS, v1.1 and v1.3.6, indicate ongoing development efforts by the threat actors.
Organisations should prioritise employing the latest security updates for their public-facing server products to counter these emerging threats. These proactive measures could also help prevent initial infection from Earth Lusca and mitigate the risks posed by the SprySOCKS malware.
