Researchers have discovered a never-before-seen Linux backdoor being used by a threat actor linked to the Chinese government.
The new back door originates from a window back door named Trochilus, which was first seen in 2015 by researchers from Arbor Networks, now known as Netscout. They said that Trochilus only executed and ran in memory and the final payload never appeared on disk in most cases. This made the malware difficult to detect. Researchers from NHS Digital in the UK have said Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.
Other groups eventually used it, and its source code has been available on GitHub for more than six years. Trochilus has been seen used in campaigns that used a separate piece of malware known as RedLeaves.
In June, researchers from the security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021. Searching VirusTotal for the filename, libmonitor.so.2, the researchers found an executable Linux file named “mkmon”. This executable contained credentials that could be used to decrypt the libmonitor.so.2 file and restore its original payload, leading the researchers to conclude that “mkmon” is an installer file that delivered and decrypted libmonitor.so.2.
The Linux malware ported several features found in Trochilus and combined them with a new Socket Secure (SOCKS) implementation. The Trend Micro researchers eventually named their discovery SprySOCKS, where “spry” denotes its fast behavior and the added SOCKS component.
SprySOCKS implements the usual backdoor functions, including collecting system information, opening an interactive remote shell for managing compromised systems, listing network connections, and creating a proxy based on the SOCKS protocol for uploading files and other data between the compromised system and the attacker-controlled command server . The following table shows some of the features:
| Message ID | Notes |
|---|---|
| 0x09 | Gets machine information |
| 0x0a | Starts interactive shell |
| 0x0b | Writes data to interactive shell |
| 0x0d | Stops interactive shell |
| 0x0e | Shows network connections (parameters: “ip”, “port”, “commName”, “connectType”) |
| 0x0f | Sending packet (parameter: “target”) |
| 0x14, 0x19 | Sending initialization packet |
| 0x16 | Generates and sets clientid |
| 0x17 | Show network connections (parameters: “tcp_port”, “udp_port”, “http_port”, “listen_type”, “listen_port”) |
| 0x23 | Creates SOCKS proxy |
| 0x24 | Terminates the SOCKS proxy |
| 0x25 | Forwards SOCKS proxy data |
| 0x2a | Upload file (parameters: “transfer_id”, “size”) |
| 0x2b | Gets file transfer id |
| 0x2c | Downloading file (parameters: “state”, “transferId”, “packageId”, “packageCount”, “file_size”) |
| 0x2d | Gets transfer status (parameters: “state”, “transferId”, “result”, “packageId”) |
| 0x3c | Lists files in root / |
| 0x3d | Lists files in folder |
| 0x3e | Deletes file |
| 0x3f | Creates folder |
| 0x40 | Rename file |
| 0x41 | No surgery |
| 0x42 | Is related to operations 0x3c – 0x40 (srcPath, destPath) |
After decrypting the binary and finding SprySOCKS, the researchers used the information they found to search VirusTotal for related files. Their search turned up a version of the malware with release number 1.1. The version Trend Micro found was 1.3.6. The many versions suggest that the backdoor is currently under development.
The command and control server that SprySOCKS connects to has strong similarities to a server that was used in a campaign with another piece of Windows malware known as RedLeaves. Like SprySOCKS, RedLeaves was also based on Trochilus. Strings that appear in both Trochilus and RedLeaves also appear in the SOCKS component that was added to SprySOCKS. The SOCKS code is borrowed from HP connectora high-performance networking framework of Chinese origin.
Trend Micro attributes SprySOCKS to a threat actor it has dubbed Earth Lusca. The researchers discovered the group in 2021 and documented the following year. Earth Lusca targets organizations worldwide, primarily in governments in Asia. It uses social engineering to lure targets to watering hole websites where targets are infected with malware. Besides showing an interest in espionage activities, Earth Lusca seems financially motivated, with a focus on gambling and cryptocurrency businesses.
The same Earth Lusca server that hosted SprySOCKS also provided the payloads known as Cobalt Strike and Winnti. Cobalt Strike is a hacking tool used by security professionals and threat actors alike. It provides a complete suite of tools for finding and exploiting vulnerabilities. Earth Lusca used it to expand its access after gaining an initial foothold in a targeted environment. Winnti, meanwhile, is the name of both a suite of malware that has been in use for more than a decade, as well as the identifier for a host of distinct threat groups, all linked to the Chinese government’s intelligence apparatus, which has been among the world’s most prolific hacking syndicates.
Monday’s Trend Micro report provides IP addresses, file hashes and other evidence that people can use to determine if they’ve been compromised.
