Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    Chinese hackers are exploiting a new Linux backdoor to target national governments

    aum

    By aum,
    Published Date:

    • 1 comment
    • 468 views
    • 2 minutes
     Share
    • 1 comment
    • 468 views
    • 2 minutes

    A Chinese threat actor was observed targeting multiple governments around the world with a new Linux backdoor, according to new findings from Trend Micro.

     

    As reported by BleepingComputer, the group is called Earth Lusca, and has been active in the first half of the year, targeting government organizations in Southeast Asia, Central Asia, the Balkans, and elsewhere. The organizations were mostly focused on foreign affairs, technology, and telecommunications. Earth Lusca’s goal seems to be espionage.

     

    To compromise their targets’ endpoints, the group used multiple n-day unauthenticated remote code execution flaws, most of which were discovered and addressed between 2019 and 2022. Through these flaws, they’d drop Cobalt Strike beacons, which were later used to deploy a new Linux backdoor called SprySOCKS.

     

    Stealing files and more

     

    SprySOCKS is not brand new, though. Its code is a mix of multiple other malware variants, it was said, including the Trochilus open-source malware for Windows, a backdoor for the same OS called RedLeaves, and Derusbi, which is a Linux malware. 

     

    Its key functionalities include system information harvesting, starting an interactive shell using the PTY subsystem, listing network connections, managing SOCKS proxy configurations, as well as the usual capabilities such as uploading and downloading files. 

     

    Besides SprySOCKS, the group was seen dropping a Linux ELF injector dubbed “mandibule”, as well. Mandible itself was tweaked and changed, but in a relatively sloppy manner, it seems, as researchers found debug messages and symbols behind, indicating that the developers weren’t really paying attention that much. 

     

    SprySOCKS, on the other hand, is in active development, the researchers concluded. So far, they managed to obtain two versions of the backdoor, including v1.1 and v.1.3.6. 

     

    The best way to protect against such threats is to make sure all endpoints are patched regularly.

     

    Source

     

    Also:  Chinese hackers have unleashed a never-before-seen Linux backdoor.

     Share
    Go to news

    User Feedback

    Recommended Comments

    Nuclear Fallout

    Watering down Security as the US Government would love to do and has so in the past is clearly a bad way to protect us all.  Peer reviews, independent research is the way to go.

    Link to comment
    Share on other sites


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...