The Chinese language-speaking menace actor often known as Earth Lusca has been noticed utilizing a brand new backdoor dubbed KTLVdoor as a part of a cyber assault focusing on an unnamed buying and selling firm based mostly in China.
The beforehand unreported malware is written in Golang, and thus is a cross-platform weapon able to focusing on each Microsoft Home windows and Linux programs.
“KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning,” Pattern Micro researchers Cedric Pernet and Jaromir Horejsi stated in an evaluation revealed Wednesday.
A few of the instruments KTLVdoor impersonates embody sshd, Java, SQLite, bash, and edr-agent, amongst others, with the malware distributed within the type of dynamic-link library (.dll) or a shared object (.so).
Maybe probably the most uncommon facet of the exercise cluster is the invention of greater than 50 command-and-control (C&C) servers, all hosted at Chinese language firm Alibaba, which have been recognized as speaking with variants of the malware, elevating the likelihood that the infrastructure might be shared with different Chinese language menace actors.
Earth Lusca is recognized to be lively since at the least 2021, orchestrating cyber assaults towards private and non-private sector entities throughout Asia, Australia, Europe, and North America. It is assessed to share some tactical overlaps with different intrusion units tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).
KTLVdoor, the most recent addition to the group’s malware arsenal, is extremely obfuscated and will get its identify from the usage of a marker known as “KTLV” in its configuration file that features varied parameters mandatory to satisfy its capabilities, together with the C&C servers to connect with.
As soon as initialized, the malware initiates contact with the C&C server on a loop, awaiting additional directions to be executed on the compromised host. The supported instructions enable it to obtain/add information, enumerate the file system, launch an interactive shell, run shellcode, and provoke scanning utilizing ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, amongst others.
That having stated, not a lot is thought about how the malware is distributed and if it has been used to focus on different entities the world over.
“This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors,” the researchers famous. “Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling.”
