Researchers have discovered a never-before-seen Linux backdoor used by a threat linked to the Chinese government.
The new backdoor comes from a Windows backdoor called Trochilus, which was seen for the first time in 2015 by researchers at Arbor Networks, now known as Netscout. They said that Trochilus started and ran only in memory and the final payload never appeared on the disks in most cases. This made it difficult to detect malware. Researchers at NHS Digital in the UK he said Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.
Other groups ended up using it and its source code did were available on GitHub for over six years. Trochilus was seen to be used in campaigns that used a separate piece of malware known as RedLeaves.
In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they’ve been monitoring since 2021. Searching for the file name libmonitor.so.2 on VirusTotal, the researchers found a Linux executable called “mkmon “. This executable contained credentials that could be used to decrypt the libmonitor.so.2 file and restore its original contents, leading the researchers to conclude that “mkmon” was the installer that delivered and decrypted libmonitor.so.2.
The Linux malware ported several features found in Trochilus and combined them with a new implementation of Socket Secure (SOCKS). Trend Micro researchers eventually named their discovery SprySOCKS, with the “spry” referring to its fast behavior and the added SOCKS component.
SprySOCKS implements the usual backdoor functions, including gathering system information, opening an interactive remote shell to control compromised systems, listing network connections, and creating a SOCKS-based proxy for uploading files and other data between the compromised system and an attacker-controlled command server. The following table shows some of the features:
| Message ID | Comment |
|---|---|
| 0x09 | Gets information about the machine |
| 0x0a | Starts an interactive shell |
| 0x0b | Writes data to an interactive shell |
| 0x0d | Stops the interactive shell |
| 0x0e | Lists network connections (parameters: “ip”, “port”, “commName”, “connectType”) |
| 0x0f | Sends a packet (parameter: “target”) |
| 0x14, 0x19 | Sends an initialization packet |
| 0x16 | Generates and sets the clientid |
| 0x17 | Lists network connections (parameters: “tcp_port”, “udp_port”, “http_port”, “listen_type”, “listen_port”) |
| 0x23 | Creates a SOCKS proxy |
| 0x24 | Terminates the SOCKS proxy |
| 0x25 | Passes SOCKS proxy data |
| 0x2a | Uploads a file (parameters: “transfer id”, “size”) |
| 0x2b | Gets the ID of the file transfer |
| 0x2c | Download file (parameters: “state”, “transferId”, “packageId”, “packageCount”, “file_size”) |
| 0x2d | Gets the state of the transfer (parameters: “state”, “transferId”, “result”, “packageId”) |
| 0x3c | Lists the files in the root / |
| 0x3d | Lists the files in a directory |
| 0x3e | Deletes the file |
| 0x3f | Creates a directory |
| 0x40 | Renames the file |
| 0x41 | No surgery |
| 0x42 | Related to operations 0x3c – 0x40 (srcPath, destPath) |
After decrypting the binary and finding SprySOCKS, the researchers used the information they found to search VirusTotal for related files. Their search turned up a version of the malware with a release number of 1.1. Trend Micro version found was 1.3.6. Multiple versions suggest that a backdoor is currently in development.
The command and control server that SprySOCKS connects to has strong similarities to the server that was used in another Windows malware campaign known as RedLeaves. Like SprySOCKS, RedLeaves was also based on Trochilus. Strings that appear in both Trochilus and RedLeaves also appear in the SOCKS component that was added to SprySOCKS. The SOCKS code was borrowed from HP-Socketa high-performance network framework of Chinese origin.
Trend Micro attributes SprySOCKS to a threat actor it calls Earth Lusca. Scientists discovered the group in 2021 and documented the following year. Earth Lusca targets organizations worldwide, primarily in governments in Asia. It uses social engineering to lure targets to landing pages where the targets are infected with malware. In addition to showing an interest in espionage activities, Earth Lusca appears to be financially motivated, with an emphasis on gambling and cryptocurrency companies.
The same Earth Lusca server that hosted SprySOCKS also delivered payloads known as Cobalt Strike and Winnti. Cobalt Strike is a hacking tool used by security professionals and threat actors alike. It provides a complete set of tools for finding and exploiting vulnerabilities. The country of Lusca used it to extend its reach after entering a targeted environment. Winnti, meanwhile, is both the name of a malware suite that has been in use for more than a decade and the identifier of a number of different threat groups, all linked to the Chinese government’s intelligence apparatus and among the world’s most prolific hacking syndicates.
Monday’s Trend Micro report provides IP addresses, file hashes and other evidence that people can use to determine if they’ve been compromised.
