Title: Chinese Government-Linked Threat Actor Utilizes New Linux Backdoor, Researchers Discover
Introduction:
Researchers have recently uncovered a previously unseen backdoor for Linux that is attributed to a threat actor linked to the Chinese government. This new backdoor, named SprySOCKS, is believed to have originated from Trochilus, a Windows backdoor that was first detected in 2015. The discovery sheds light on the advanced tactics employed by this advanced persistent threat group, which has been actively engaging in cyber espionage and financial motivation.
Background:
Trochilus, the precursor to SprySOCKS, was a memory-resident malware with a stealthy execution method that made it difficult to detect. APT10, also known as Stone Panda and MenuPass, was identified as the group behind Trochilus. The source code for Trochilus has been available on GitHub for over six years, providing the foundation for the development and evolution of SprySOCKS.
SprySOCKS:
Researchers from security firm Trend Micro discovered SprySOCKS while investigating a group they had been tracking since 2021. They found an encrypted binary file on a server known to be associated with the threat actor. Upon decryption, they unraveled SprySOCKS, which combined several functions from Trochilus with a newly implemented Socket Secure (SOCKS) component. SprySOCKS allows the threat actor to perform backdoor activities such as information collection, remote shell control, network connection listing, and file/data uploading using the SOCKS protocol.
Attribution and Similarities:
Trend Micro has attributed SprySOCKS to a threat actor they have named Earth Lusca, which they discovered in 2021. Earth Lusca primarily targets government organizations in Asia and exhibits interest in espionage as well as financial motives, particularly gambling and cryptocurrency companies. Notably, the command and control server used by SprySOCKS shares similarities with a server associated with the RedLeaves malware, which is also based on Trochilus. This suggests a possible connection between Earth Lusca and previous campaigns involving RedLeaves.
Implications and Payload Delivery:
The same server hosting SprySOCKS has been found to deliver other malicious payloads, including the well-known Cobalt Strike and Winnti malware. Cobalt Strike is a widely used hacking tool employed by both security professionals and threat actors for discovering and exploiting vulnerabilities. Winnti, on the other hand, refers to a suite of malware as well as a network of distinct threat groups connected to the Chinese government’s intelligence apparatus. This indicates the breadth of capabilities and intentions of the threat actor behind SprySOCKS.
Mitigation and Identification:
To assist in identifying potential compromises, Trend Micro’s report provides IP addresses, file hashes, and other evidence related to SprySOCKS. Organizations and individuals are encouraged to review this information and take necessary steps to protect their systems against this new Linux backdoor.
Conclusion:
The discovery of SprySOCKS highlights the evolving techniques employed by threat actors with state-sponsored ties. The utilization of Linux-based backdoors underscores the need for constant vigilance and strong cybersecurity measures. By staying informed and implementing appropriate defensive strategies, organizations can mitigate the risks posed by these sophisticated threats.