Researchers have discovered a never-before-seen backdoor for Linux used by a threat actor linked to the Chinese government.
The new backdoor comes from a Windows backdoor named Trochilus, which was first spotted in 2015 by researchers from Arbor Networks, now known as Netscout. They say that Trochilus kills and runs only in memory, and the final payload never appears on the disks in most cases. That makes it difficult to detect malware. Researchers from the UK’s NHS Digital say Trochilus was created by APT10, an advanced persistent threat group linked to the Chinese government also known as Stone Panda and MenuPass.
Other groups eventually used it, and its source code has been available on GitHub for over six years. Trochilus has been seen used in campaigns that use a separate piece of malware known as RedLeaves.
In June, researchers from the security firm Trend Micro found an encrypted binary file on a server known to be used by a group they have been tracking since 2021. Through a search on VirusTotal for the file name, libmonitor.so.2, the researchers found an executable Linux file named “mkmon”. This executable has credentials that can be used to decrypt the libmonitor.so.2 file and recover its original payload, leading the researchers to conclude that “mkmon” is an installation file that delivers decrypts libmonitor.so.2.
The Linux malware ports many of the functions found in Trochilus and combines them with a new implementation of Socket Secure (SOCKS). Trend Micro researchers eventually named their discovery SprySOCKS, with “spry” referring to its fast behavior and the added SOCKS component.
SprySOCKS implements standard backdoor capabilities, including collecting system information, opening an interactive remote shell for controlling compromised systems, listing network connections, and creating a proxy. based on the SOCKS protocol for uploading files and other data between the compromised system and the one controlled by the attacker. command server. The following table shows some of the capabilities:
| Message ID | Notes |
|---|---|
| 0x09 | Gets machine information |
| 0x0a | Starts the interactive shell |
| 0x0b | Data is written to the interactive shell |
| 0x0d | Stops the interactive shell |
| 0x0e | Lists network connections (parameters: “ip”, “port”, “commName”, “connectType”) |
| 0x0f | Sending packet (parameter: “target”) |
| 0x14, 0x19 | Sends the initialization packet |
| 0x16 | Creates and configures the client |
| 0x17 | Lists network connections (parameters: “tcp_port”, “udp_port”, “http_port”, “listen_type”, “listen_port”) |
| 0x23 | Creates a SOCKS proxy |
| 0x24 | Terminates the SOCKS proxy |
| 0x25 | Forward SOCKS proxy data |
| 0x2a | Uploading a file (parameters: “transfer_id”, “size”) |
| 0x2b | Got a file transfer ID |
| 0x2c | File download (parameters: “state”, “transferId”, “packageId”, “packageCount”, “file_size”) |
| 0x2d | Gets transfer status (parameters: “state”, “transferId”, “result”, “packageId”) |
| 0x3c | Enumerated files in root / |
| 0x3d | Enumerates the files in the directory |
| 0x3e | Delete the file |
| 0x3f | Creates a directory |
| 0x40 | File name changed |
| 0x41 | No surgery |
| 0x42 | Related operations 0x3c – 0x40 (srcPath, destPath) |
After decrypting the binary and finding SprySOCKS, the researchers used the information they found to search VirusTotal for related files. Their search contained a version of the malware with release number 1.1. The version found by Trend Micro is 1.3.6. The multiple versions suggest that the backdoor is currently under development.
The command and control server attached to SprySOCKS bears significant similarities to a server used in a campaign with another piece of Windows malware known as RedLeaves. Like SprySOCKS, RedLeaves is also based on Trochilus. The strings found in Trochilus and RedLeaves are also found in the SOCKS component added to SprySOCKS. The SOCKS code is borrowed from HP-Socket, a high-performance network framework with Chinese origins.
Trend Micro attributes SprySOCKS to a threat actor named Earth Lusca. Researchers discovered the group in 2021 and documented it the following year. Earth Lusca targets organizations around the world, especially governments in Asia. It uses social engineering to lure targets to watering-hole sites where the targets are infected with malware. Besides showing an interest in espionage activities, Earth Lusca seems to be financially motivated, with sights set on gambling and cryptocurrency companies.
The same Earth Lusca server that hosts SprySOCKS also delivers payloads known as Cobalt Strike and Winnti. Cobalt Strike is a hacking tool used by security professionals and threat actors. It provides a full set of tools for finding and exploiting vulnerabilities. Earth Lusca uses it to expand its reach after gaining an initial hold within a targeted environment. Winnti, on the other hand, is the name of two sets of malware that have been used for more than a decade as well as the identifier for several different threat groups, all connected to the Chinese government’s intelligence apparatus, which is one of the world’s largest hacking syndicates.
Monday’s Trend Micro report provides IP addresses, file hashes, and other evidence that people can use to determine if they’ve been compromised.
