Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement

In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca. Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.

While monitoring the group, we managed to obtain an interesting, encrypted file hosted on the threat actor’s delivery server. We were able to find the original loader of the file on VirusTotal and successfully decrypted it. Interestingly, the decrypted payload is a Linux-targeted backdoor that we have never seen before. The main execution routine and its strings show that it originates from the open-source Windows backdoor Trochilus, with several functions being re-implemented for Linux systems. We named this new Linux variant SprySOCKS, referring to the swift behaviors of Trochilus and the new Socket Secure (SOCKS) implementation inside the backdoor.

Analysis of the SprySOCKS backdoor reveals some interesting findings. The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.

Meanwhile, the structure of SprySOCKS’s command-and-control (C&C) protocol is similar to one used by the RedLeaves backdoor, a remote access trojan (RAT) reported to be infecting Windows machines. It consists of two components, the loader and the encrypted main payload. The loader is responsible for reading, decrypting, and running the main payload.

Similar to the Windows version, the Linux variant analyzed in this report also consists of these two components. Previously, it was reported that RedLeaves was also built upon the publicly available source code of Trochilus.

So far, we have only observed SprySOCKS used by Earth Lusca. In this blog entry, we will provide more context on Earth Lusca’s use of the malware, together with a thorough analysis of its components and capabilities.

Earth Lusca remained active during the first half of 2023, with its attacks focusing primarily on countries in Southeast Asia, Central Asia, and the Balkans (with a few scattered attacks on Latin American and African countries). The group’s main targets are government departments that are involved in foreign affairs, technology, and telecommunications.

Earth Lusca is now aggressively targeting the public-facing servers of its victims. Furthermore, we have seen them frequently exploiting server-based N-day vulnerabilities, including (but not limited to) the following: