Earth Lusca is a suspected China-based cyber espionage group active since at least April 2019.
Besides this, hackers often target Windows and Linux machines primarily due to their widespread use and potential for financial gain.
Trend Micro security experts recently uncovered a sophisticated new Golang-based backdoor named “KTLVdoor,” deployed by the Chinese threat actor Earth Lusca.
This highly obfuscated, multiplatform malware family infects Windows and Linux systems, often disguising itself as standard system utilities to evade detection.
KTLVdoor provides threat actors with extensive remote control capabilities, such as executing commands, file manipulation, information gathering, proxy usage, and port scanning.
The operation is large in scale, with over 50 command-and-control servers hosted on Alibaba’s infrastructure in China, communicating with several malware variants.
Though it’s primarily tied to Earth Lusca, the shared infrastructure also suggests the potential involvement of other Chinese threat groups.
This campaign’s samples are heavily obfuscated, reinserting random base64-like encoded strings and function names in embedded strings.
The agent’s settings are hidden and contain XOR-encoded agent configuration parameters. Base64 features a proprietary form resembling a TLV-like format.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Trend Micro said that the configuration is implemented by restoring the internal structure corresponding to the machine and keeping the addresses of C&C servers encrypted in AES-GCM-encrypted values.
After the start-up, the agent communicates with the C&C server through GZIP-compressed and AES-GCM-encrypted messages.
Besides this, the PortScan implements the following scanning methods:-
Communication can be unidirectional or bidirectional, consisting of a header and message data.
The agent has been assigned task-processing handlers for the threat actor Earth Lusca; however, the campaign details are unknown.
The atypical infrastructure with all C&C servers on Alibaba’s IP addresses suggests that this is the current environment of Earth Lusca or some other Chinese-speaking threat actors arming themselves and playing around with the new tools that have yet to be released.
Cybersecurity researchers urged that it remains important to ensure the ongoing monitoring of this activity.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
A significant leak of internal chat logs from the Black Basta ransomware group has provided…
Security researchers at Socket have uncovered a sophisticated malware campaign targeting the Go ecosystem. The…
A sophisticated malware campaign has been uncovered, exploiting the growing popularity of Windows Packet Divert…
A recent physical penetration test conducted by cybersecurity firm Hackmosphere, revealed critical security flaws in…
A newly discovered malicious campaign dubbed "Desert Dexter" has infected approximately 900 victims across multiple…
Security researchers have disclosed critical Insecure Direct Object Reference (IDOR) vulnerabilities in ZITADEL’s administration interface that expose…