HomeTechnologyChinese hackers have unleashed...

Chinese hackers have unleashed a never-before-seen Linux backdoor – Ars Technica

Researchers have discovered a never-before-seen backdoor for Linux that’s being used by a threat actor linked to the Chinese government.

The new backdoor originates from a Windows backdoor named Trochilus, which was first seen in 2015 by researchers from Arbor Networks, now known as Netscout. They said that Trochilus executed and ran only in memory, and the final payload never appeared on disks in most cases. That made the malware difficult to detect. Researchers from NHS Digital in the UK have said Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.

Other groups eventually used it, and its source code has been available on GitHub for more than six years. Trochilus has been seen being used in campaigns that used a separate piece of malware known as RedLeaves.

In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021. By searching VirusTotal for the file name, ​​libmonitor.so.2, the researchers located an executable Linux file named “mkmon”. This executable contained credentials that could be used to decrypt libmonitor.so.2 file and recover its original payload, leading the researchers to conclude that “mkmon” is an installation file that delivered and decrypted libmonitor.so.2.

The Linux malware ported several functions found in Trochilus and combined them with a new Socket Secure (SOCKS) implementation. The Trend Micro researchers eventually named their discovery SprySOCKS, with “spry” denoting its swift behavior and the added SOCKS component.

SprySOCKS implements the usual backdoor capabilities, including collecting system information, opening an interactive remote shell for controlling compromised systems, listing network connections, and creating a proxy based on the SOCKS protocol for uploading files and other data between the compromised system and the attacker-controlled command server. The following table shows some of the capabilities:

Message ID Notes
0x09 Gets machine information
0x0a Starts interactive shell
0x0b Writes data to interactive shell
0x0d Stops interactive shell
0x0e Lists network connections (parameters: “ip”, “port”, “commName”, “connectType”)
0x0f Sends packet (parameter: “target”)
0x14, 0x19 Sends initialization packet
0x16 Generates and sets clientid
0x17 Lists network connections (parameters: “tcp_port”, “udp_port”, “http_port”, “listen_type”, “listen_port”)
0x23 Creates SOCKS proxy
0x24 Terminates SOCKS proxy
0x25 Forwards SOCKS proxy data
0x2a Uploads file (parameters: “transfer_id”, “size”)
0x2b Gets file transfer ID
0x2c Downloads file (parameters: “state”, “transferId”, “packageId”, “packageCount”, “file_size”)
0x2d Gets transfer status (parameters: “state”, “transferId”, “result”, “packageId”)
0x3c Enumerates files in root /
0x3d Enumerates files in directory
0x3e Deletes file
0x3f Creates directory
0x40 Renames file
0x41 No operation
0x42 Is related to operations 0x3c – 0x40 (srcPath, destPath)

After decrypting the binary and finding SprySOCKS, the researchers used the information they found to search VirusTotal for related files. Their search turned up a version of the malware with the release number 1.1. The version Trend Micro found was 1.3.6. The multiple versions suggest that the backdoor is currently under development.

The command and control server that SprySOCKS connects to has major similarities to a server that was used in a campaign with a different piece of Windows malware known as RedLeaves. Like SprySOCKS, RedLeaves was also based on Trochilus. Strings that appear in both Trochilus and RedLeaves also appear in the SOCKS component that was added to SprySOCKS. The SOCKS code was borrowed from the HP-Socket, a high-performance network framework with Chinese origins.

Trend Micro is attributing SprySOCKS to a threat actor it has dubbed Earth Lusca. The researchers discovered the group in 2021 and documented it the following year. Earth Lusca targets organizations around the world, primarily in governments in Asia. It uses social engineering to lure targets to watering-hole sites where targets are infected with malware. Besides showing interest in espionage activities, Earth Lusca seems financially motivated, with sights set on gambling and cryptocurrency companies.

The same Earth Lusca server that hosted SprySOCKS also delivered the payloads known as Cobalt Strike and Winnti. Cobalt Strike is a hacking tool used by security professionals and threat actors alike. It provides a full suite of tools for finding and exploiting vulnerabilities. Earth Lusca was using it to expand its access after getting an initial toehold inside a targeted environment. Winnti, meanwhile, is the name of both a suite of malware that’s been in use for more than a decade as well as the identifier for a host of distinct threat groups, all connected to the Chinese government’s intelligence apparatus, that has been among the world’s most prolific hacking syndicates.

Monday’s Trend Micro report provides IP addresses, file hashes, and other evidence that people can use to determine if they’ve been compromised.

Source link

Most Popular


Please enter your comment!
Please enter your name here

More from Author

Peloton co-founder and Chief Product Officer Tom Cortese is leaving the company

Peloton co-founder and Chief Product Officer Tom Cortese is leaving...

NFL Week 4 injury tracker: Will Jones, Watson and Montgomery play Thursday?

ESPN FantasySep 26, 2023, 04:56 PM ET6 Minute ReadESPN's Fantasy...

How the Writers Deal Got Done: Inside the Room

Getty Images; Adobe Stock; THR Illustration On Saturday, Sept. 23, Disney...

Read Now

Judge Finds Trump Inflated Property Values, a Victory for New York A.G.

A New York judge ruled on Tuesday that Donald J. Trump persistently committed fraud by inflating the value of his assets, and stripped the former president of control over some of his signature New York properties.The decision by Justice Arthur F. Engoron is a major victory...

Peloton co-founder and Chief Product Officer Tom Cortese is leaving the company

Peloton co-founder and Chief Product Officer Tom Cortese is leaving the company after nearly 12 years.He'll be replaced by Silicon Valley veteran Nick Caldwell, who previously held positions at Twitter, Google and Microsoft."After nearly 12 years of pouring myself into Peloton and serving our Members, I...

NFL Week 4 injury tracker: Will Jones, Watson and Montgomery play Thursday?

ESPN FantasySep 26, 2023, 04:56 PM ET6 Minute ReadESPN's Fantasy Football Week 4 injury tracker, featuring an aggregation of injury updates for quarterbacks, running backs, wide receivers and tight ends whose teams are scheduled to play this week. Here we'll track practice reports, injury updates and...

How the Writers Deal Got Done: Inside the Room

Getty Images; Adobe Stock; THR Illustration On Saturday, Sept. 23, Disney CEO Bob Iger was in Beverly Hills, seemingly living his best life. He was at dinner with Paul McCartney and Eagles alum Joe Walsh at La Dolce Vita, an Old World Italian restaurant with long white...

Top Apple Executive Defends Favoring Google on iPhones

Apple’s top deal maker on Tuesday defended his company’s favoritism of Google on iPhones, a pivotal collaboration that has shaped the modern tech industry and is at the center of a federal antitrust trial against the search giant.Eddy Cue, Apple’s senior vice president of services, testified...

‘Unprecedented’ Secrecy in Google Trial as Tech Giants Push to Limit Disclosures

In a court filing last month, Google argued that it needed its privacy in an antitrust trial that would spotlight its dominance in online search.“Once commercially sensitive information is disclosed in open court, the resulting harm to the party’s competitive standing cannot be undone,” the internet...

How Jalen Hurts finally got the best of Todd Bowles

His stats weren’t particularly pretty. Two interceptions will do that. Still, there were some very encouraging signs from Jalen Hurts Monday night, and he didn’t hide his happiness – or maybe relief is a better word – for finally leaving Tampa with a win. It was at...

‘PAW Patrol 3’ In The Works From Paramount, Nickelodeon & Spin Master

Paramount Days before Spin Master/Paramount/Nickelodeon’s PAW Patrol: The Mighty Movie opens with a shot at No. 1 and $20M, a third theatrical movie has been announced for 2026. The long-running preschool franchise, which is celebrating its tenth anniversary, saw its first theatrical release under Paramount (and Elevation...

David McCallum, Heartthrob Spy of ‘The Man From U.N.C.L.E.,’ Dies at 90

David McCallum, the Scottish-born actor who became a surprise sensation as the enigmatic Russian spy Illya Kuryakin on “The Man From U.N.C.L.E.” in the 1960s and found television stardom again almost 40 years later on the hit series “N.C.I.S.,” died on Monday in Manhattan. He was...

CMF by Nothing launches earbuds, smartwatch, charger (Update: Availability)

TL;DR CMF by Nothing is a new sub-brand that uses the same in-house design team as mainline Nothing products. The first three devices from this sub-brand are earbuds, a smartwatch, and a GaN charger. The products are incredibly inexpensive and will come to the UK at first. India is...

Warriors newcomer Chris Paul can win the room with 11-word declaration

The wisest and classiest move Chris Paul can make in the coming days is to extinguish the fire that started with his cryptic response in his first meeting with reporters assigned to the Warriors. Sometime before next Monday, when Paul and his new teammates gather for media...

Biden, Trump to woo unions in Michigan as auto strikes grow

DETROIT, Sept 26 (Reuters) - Joe Biden and Donald Trump will speak to striking auto workers in rare back-to-back events in Michigan this week, highlighting the importance of union support in the 2024 presidential election, even though unions represent a tiny fraction of U.S. workers.Biden will...