Earth Lusca Using Multiplatform Backdoor to Attack Windows & Linux Machines

Earth Lusca is a suspected China-based cyber espionage group active since at least April 2019.

Besides this, hackers often target Windows and Linux machines primarily due to their widespread use and potential for financial gain.

Trend Micro security experts recently uncovered a sophisticated new Golang-based backdoor named “KTLVdoor,” deployed by the Chinese threat actor Earth Lusca. 

This highly obfuscated, multiplatform malware family infects Windows and Linux systems, often disguising itself as standard system utilities to evade detection. 

Earth Lusca Using Multiplatform Backdoor

KTLVdoor provides threat actors with extensive remote control capabilities, such as executing commands, file manipulation, information gathering, proxy usage, and port scanning. 

The operation is large in scale, with over 50 command-and-control servers hosted on Alibaba’s infrastructure in China, communicating with several malware variants. 

Though it’s primarily tied to Earth Lusca, the shared infrastructure also suggests the potential involvement of other Chinese threat groups.

This campaign’s samples are heavily obfuscated, reinserting random base64-like encoded strings and function names in embedded strings.

The agent’s settings are hidden and contain XOR-encoded agent configuration parameters. Base64 features a proprietary form resembling a TLV-like format.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Trend Micro said that the configuration is implemented by restoring the internal structure corresponding to the machine and keeping the addresses of C&C servers encrypted in AES-GCM-encrypted values.

After the start-up, the agent communicates with the C&C server through GZIP-compressed and AES-GCM-encrypted messages.

Besides this, the PortScan implements the following scanning methods:-

• ScanTCP
• ScanRDP
• ScanWinRM
• ScanSmb2
• RdpWithNTLM
• DialTLS
• DialTCP
• ScanPing
• ScanPing
• ScanMssql
• ScanBanner
• ScanWeb

Communication can be unidirectional or bidirectional, consisting of a header and message data.

The agent has been assigned task-processing handlers for the threat actor Earth Lusca; however, the campaign details are unknown.

The atypical infrastructure with all C&C servers on Alibaba’s IP addresses suggests that this is the current environment of Earth Lusca or some other Chinese-speaking threat actors arming themselves and playing around with the new tools that have yet to be released.

Cybersecurity researchers urged that it remains important to ensure the ongoing monitoring of this activity.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!