Chinese hackers have unleashed an unprecedented Linux backdoor | Albiseyler

Chinese hackers have unleashed an unprecedented Linux backdoor

Researchers have discovered a never-before-seen Linux backdoor used by a threat linked to the Chinese government.

The new backdoor comes from a Windows backdoor called Trochilus, which was seen for the first time in 2015 by researchers at Arbor Networks, now known as Netscout. They said that Trochilus started and ran only in memory and the final payload never appeared on the disks in most cases. This made it difficult to detect malware. Researchers at NHS Digital in the UK he said Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.

Other groups ended up using it and its source code did were available on GitHub for over six years. Trochilus was seen to be used in campaigns that used a separate piece of malware known as RedLeaves.

In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they’ve been monitoring since 2021. Searching for the file name on VirusTotal, the researchers found a Linux executable called “mkmon “. This executable contained credentials that could be used to decrypt the file and restore its original contents, leading the researchers to conclude that “mkmon” was the installer that delivered and decrypted

The Linux malware ported several features found in Trochilus and combined them with a new implementation of Socket Secure (SOCKS). Trend Micro researchers eventually named their discovery SprySOCKS, with the “spry” referring to its fast behavior and the added SOCKS component.

SprySOCKS implements the usual backdoor functions, including gathering system information, opening an interactive remote shell to control compromised systems, listing network connections, and creating a SOCKS-based proxy for uploading files and other data between the compromised system and an attacker-controlled command server. The following table shows some of the features:

Message ID Comment
0x09 Gets information about the machine
0x0a Starts an interactive shell
0x0b Writes data to an interactive shell
0x0d Stops the interactive shell
0x0e Lists network connections (parameters: “ip”, “port”, “commName”, “connectType”)
0x0f Sends a packet (parameter: “target”)
0x14, 0x19 Sends an initialization packet
0x16 Generates and sets the clientid
0x17 Lists network connections (parameters: “tcp_port”, “udp_port”, “http_port”, “listen_type”, “listen_port”)
0x23 Creates a SOCKS proxy
0x24 Terminates the SOCKS proxy
0x25 Passes SOCKS proxy data
0x2a Uploads a file (parameters: “transfer id”, “size”)
0x2b Gets the ID of the file transfer
0x2c Download file (parameters: “state”, “transferId”, “packageId”, “packageCount”, “file_size”)
0x2d Gets the state of the transfer (parameters: “state”, “transferId”, “result”, “packageId”)
0x3c Lists the files in the root /
0x3d Lists the files in a directory
0x3e Deletes the file
0x3f Creates a directory
0x40 Renames the file
0x41 No surgery
0x42 Related to operations 0x3c – 0x40 (srcPath, destPath)

After decrypting the binary and finding SprySOCKS, the researchers used the information they found to search VirusTotal for related files. Their search turned up a version of the malware with a release number of 1.1. Trend Micro version found was 1.3.6. Multiple versions suggest that a backdoor is currently in development.

The command and control server that SprySOCKS connects to has strong similarities to the server that was used in another Windows malware campaign known as RedLeaves. Like SprySOCKS, RedLeaves was also based on Trochilus. Strings that appear in both Trochilus and RedLeaves also appear in the SOCKS component that was added to SprySOCKS. The SOCKS code was borrowed from HP-Socketa high-performance network framework of Chinese origin.

Trend Micro attributes SprySOCKS to a threat actor it calls Earth Lusca. Scientists discovered the group in 2021 and documented the following year. Earth Lusca targets organizations worldwide, primarily in governments in Asia. It uses social engineering to lure targets to landing pages where the targets are infected with malware. In addition to showing an interest in espionage activities, Earth Lusca appears to be financially motivated, with an emphasis on gambling and cryptocurrency companies.

The same Earth Lusca server that hosted SprySOCKS also delivered payloads known as Cobalt Strike and Winnti. Cobalt Strike is a hacking tool used by security professionals and threat actors alike. It provides a complete set of tools for finding and exploiting vulnerabilities. The country of Lusca used it to extend its reach after entering a targeted environment. Winnti, meanwhile, is both the name of a malware suite that has been in use for more than a decade and the identifier of a number of different threat groups, all linked to the Chinese government’s intelligence apparatus and among the world’s most prolific hacking syndicates.

Monday’s Trend Micro report provides IP addresses, file hashes and other evidence that people can use to determine if they’ve been compromised.

Leave a Reply

Your email address will not be published. Required fields are marked *