Earth Lusca Uses SprySOCKS Linux Backdoor Against Government Entities

Written by Mitchell Langley

September 19, 2023

Earth Lusca Uses SprySOCKS Linux Backdoor Against Government Entities

The China-linked threat group, Earth Lusca, has come into the cybersecurity spotlight for deploying a novel Linux backdoor named SprySOCKS.

Earth Lusca, initially brought to public attention by Trend Micro in January 2022, has consistently posed a formidable threat to governmental and corporate entities across the globe, with a focus on Asia, Australia, Europe, and North America.

Operating since 2021, Earth Lusca is known for employing spear-phishing and watering hole attacks as primary tactics in their cyber espionage campaigns. Interestingly, there is a notable overlap in their activities with another threat cluster, RedHotel, as tracked by Recorded Future.

Fresh insights from cybersecurity experts reveal that Earth Lusca remains a dynamic and active entity, with an expanded geographical scope that encompasses organizations worldwide during the first half of 2023.

Government departments dealing with foreign affairs, technology, and telecommunications are the group’s primary targets, with a strong concentration of attacks observed in Southeast Asia, Central Asia, and the Balkans.

Earth Lusca’s Modus Operandi

The modus operandi typically involves exploiting known security vulnerabilities in public-facing servers, including Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra, to establish web shells and deploy Cobalt Strike for lateral movement within the compromised systems.

Earth Lusca’s objectives extend beyond initial access, with the intention to exfiltrate sensitive documents, email credentials, and deploy advanced backdoors such as ShadowPad and the Linux version of Winnti, allowing for sustained espionage activities against their selected targets.

Notably, SprySOCKS, the newly discovered Linux backdoor, has made an appearance on the same servers used to distribute Cobalt Strike and Winnti. This backdoor has roots in the open-source Windows backdoor known as Trochilus, previously associated with the Chinese hacking group, Webworm.

Loaded via a variant of an ELF injector component referred to as ‘mandibule,’ SprySOCKS demonstrates capabilities to collect system information, initiate an interactive shell, establish and terminate SOCKS proxies, and execute various file and directory operations.

Command-and-control (C2) communication is facilitated via the Transmission Control Protocol (TCP), resembling a structure previously observed in a Windows-based trojan known as RedLeaves, which is, in turn, based on Trochilus.

It is crucial for organizations to adopt proactive security measures by managing their attack surface, minimizing potential entry points into their systems, and reducing the risk of successful breaches. Maintaining a robust patching regimen and keeping tools, software, and systems up to date is paramount to ensuring security, functionality, and overall system performance in the face of evolving threats.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!