Insights, news, education and announcements from PolySwarm

Earth Lusca's SprySOCKS Linux Backdoor

Written by The Hivemind | Sep 25, 2023 6:06:11 PM

Related Families: Mandibule, Cobalt Strike, Trochilus, RedLeaves
Verticals Targeted: Government 

Executive Summary

China nexus threat actor group Earth Lusca was observed using a Linux-based backdoor dubbed SprySOCKS to target government entities.

Key Takeaways

  • China nexus threat actor group Earth Lusca was observed using a Linux-based backdoor dubbed SprySOCKS to target government entities.
  • SprySOCKS appears to be based on the Trochilus Windows backdoor. 
  • The loader used in these attacks was based on Mandibule, a publicly available Linux ELF injector. 
  • The aim of these attacks appears to be espionage.

What is SprySOCKS?

China nexus threat actor group Earth Lusca was observed using a Linux-based backdoor dubbed SprySOCKS to target government entities. Targeted regions included Southeast Asia, Central Asia, and the Balkans, as well as several entities in Latin America and Africa. SprySOCKS appears to be based on the Trochilus Windows backdoor. Trend Micro recently reported on this activity.

Trend Micro named the backdoor SprySOCKS due to its swift behaviors and the Socket Secure (SOCKS) implementation used. Trend Micro discovered at least two SprySOCKS versions and noted it appears to still be under development. They also noted the interactive shell used is similar to the one used in the Linux variant of Derusbi. SprySOCKS C2 is similar to the one used by the RedLeaves backdoor, which was also based on Trochilus. The loader used in these attacks was based on Mandibule, a publicly available Linux ELF injector.

Earth Lusca has been observed exploiting multiple server-based N-day vulnerabilities, including CVE-2022-40684, CVE-2022-39952, CVE-2021-22205, CVE-2019-18935, CVE-2019-9670, CVE-2019-9621, and the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

After infiltrating the victim's network, the threat actors deploy a web shell and use Cobalt Strike for lateral movement. The aim of these attacks appears to be espionage, as the threat actors were observed attempting to profile victim systems and exfiltrate documents and email account credentials. They were also observed deploying additional backdoors typically used for long-game espionage, such as ShadowPad and the Linux version of Winnti.

Who is Earth Lusca?

Earth Lusca, also known as Aquatic Panda, Chromium, Bronze University, and Fishmonger, is a China nexus threat actor group known to target academic, telecommunications, religious, and civil society entities. They have also been observed targeting cryptocurrency exchanges. In 2022, Aquatic Panda was observed targeting high-value targets in both the public and private sectors, including government, education, religious, human rights, medical research, and media entities. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

F8ba9179d8f34e2643ee4f8bc51c8af046e3762508a005a2d961154f639b2912 (SprySOCKS)

65b27e84d9f22b41949e42e8c0b1e4b88c75211cbf94d5fd66edc4ebe21b7359 (Mandibule)

 

You can use the following CLI command to search for all SprySOCKS samples in our portal:

$ polyswarm link list -f SprySOCKS

 

You can use the following CLI command to search for all Mandibule samples in our portal:

$ polyswarm link list -f Mandibule

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports