The project creator removed the usage screen and the ability to inject to other processes, and then added a function to load and decrypt the second stage. The threat actor used the mandibule project as a basis for its malware loader. The original injector also prints various debug messages to inform the user about the progress of the injection. As a typical command-line tool, it prints usage text that lists supported parameters. The original ELF injector project is a command-line tool with the ability to inject a payload into itself (self-injection) or into another project. The loader was not developed from scratch - its developer used a publicly available Linux ELF injector called “ mandibule” (the French word for mandible, or lower jaw). The ELF file could be used to decrypt the libmonitor.so.2 file and recover its original payload, proving that “mkmon” is the loader bundled with libmonitor.so.2. We used the unique file name to perform a search on VirusTotal that allowed us to identify a related ELF file ( SHA256: 65b27e84d9f22b41949e42e8c0b1e4b88c75211cbf94d5fd66edc4ebe21b7359) named “mkmon”. Without previous context, this seemed to be a binary file containing only random bytes, indicating that it is likely an encrypted payload. The “mandibule” loader componentĪt the beginning of our investigation, we observed a file named libmonitor.so.2 hosted on Earth Lusca’s delivery server. The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets. Furthermore, we have seen them frequently exploiting server-based N-day vulnerabilities, including (but not limited to) the following:Įarth Lusca takes advantage of server vulnerabilities to infiltrate its victim’s networks, after which it will deploy a web shell and install Cobalt Strike for lateral movement. The group’s main targets are government departments that are involved in foreign affairs, technology, and telecommunications.Įarth Lusca is now aggressively targeting the public-facing servers of its victims. Recent Earth Lusca activityĮarth Lusca remained active during the first half of 2023, with its attacks focusing primarily on countries in Southeast Asia, Central Asia, and the Balkans (with a few scattered attacks on Latin American and African countries). ![]() In this blog entry, we will provide more context on Earth Lusca’s use of the malware, together with a thorough analysis of its components and capabilities. So far, we have only observed SprySOCKS used by Earth Lusca. Previously, it was reported that RedLeaves was also built upon the publicly available source code of Trochilus. ![]() Similar to the Windows version, the Linux variant analyzed in this report also consists of these two components. The loader is responsible for reading, decrypting, and running the main payload. It consists of two components, the loader and the encrypted main payload. Meanwhile, the structure of SprySOCKS’s command-and-control (C&C) protocol is similar to one used by the RedLeaves backdoor, a remote access trojan (RAT) reported to be infecting Windows machines. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. The backdoor contains a marker that refers to the backdoor’s version number. We named this new Linux variant SprySOCKS, referring to the swift behaviors of Trochilus and the new Socket Secure ( SOCKS) implementation inside the backdoor.Īnalysis of the SprySOCKS backdoor reveals some interesting findings. The main execution routine and its strings show that it originates from the open-source Windows backdoor Trochilus, with several functions being re-implemented for Linux systems. Interestingly, the decrypted payload is a Linux-targeted backdoor that we have never seen before. We were able to find the original loader of the file on VirusTotal and successfully decrypted it. ![]() While monitoring the group, we managed to obtain an interesting, encrypted file hosted on the threat actor’s delivery server. Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023. In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |