The Chinese language-speaking risk actor often called Earth Lusca has been noticed utilizing a brand new backdoor dubbed KTLVdoor as a part of a cyber assault concentrating on an unnamed buying and selling firm primarily based in China.
The beforehand unreported malware is written in Golang, and thus is a cross-platform weapon able to concentrating on each Microsoft Home windows and Linux methods.
“KTLVdoor is a extremely obfuscated malware that masquerades as completely different system utilities, permitting attackers to hold out quite a lot of duties together with file manipulation, command execution, and distant port scanning,” Pattern Micro researchers Cedric Pernet and Jaromir Horejsi stated in an evaluation printed Wednesday.
A number of the instruments KTLVdoor impersonates embody sshd, Java, SQLite, bash, and edr-agent, amongst others, with the malware distributed within the type of dynamic-link library (.dll) or a shared object (.so).
Maybe probably the most uncommon facet of the exercise cluster is the invention of greater than 50 command-and-control (C&C) servers, all hosted at Chinese language firm Alibaba, which have been recognized as speaking with variants of the malware, elevating the likelihood that the infrastructure might be shared with different Chinese language risk actors.
Earth Lusca is recognized to be energetic since not less than 2021, orchestrating cyber assaults in opposition to private and non-private sector entities throughout Asia, Australia, Europe, and North America. It is assessed to share some tactical overlaps with different intrusion units tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).
KTLVdoor, the newest addition to the group’s malware arsenal, is extremely obfuscated and will get its identify from the usage of a marker referred to as “KTLV” in its configuration file that features numerous parameters needed to fulfill its features, together with the C&C servers to hook up with.
As soon as initialized, the malware initiates contact with the C&C server on a loop, awaiting additional directions to be executed on the compromised host. The supported instructions enable it to obtain/add information, enumerate the file system, launch an interactive shell, run shellcode, and provoke scanning utilizing ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, amongst others.
That having stated, not a lot is understood about how the malware is distributed and if it has been used to focus on different entities internationally.
“This new instrument is utilized by Earth Lusca, but it surely may additionally be shared with different Chinese language-speaking risk actors,” the researchers famous. “Seeing that each one C&C servers had been on IP addresses from China-based supplier Alibaba, we surprise if the entire look of this new malware and the C&C server couldn’t be some early stage of testing new tooling.”