Saturday, July 13, 2024
EHA

Hackers Deployed never-before-seen Linux Malware Attacking Government Entities

Recent reports indicate that threat actors have been using a new type of Linux-targeted backdoor that has never been seen before. This new backdoor has been named SprySOCKS, which uses the strings of Trochilus (Windows backdoor) and the new Socket Secure (SOCKS).

However, this threat vector is carried out by the Earth Lusca threat group. This China-linked attacking group targeted several government departments of foreign affairs, technology, and telecommunications in many countries, including Latin American and African countries.

This threat group has now been found to be targeting the public-facing servers of its victims and exploiting server-based N-day vulnerabilities as part of their operation. 

New Linux Malware

On further analyzing the new backdoor, it was discovered that the encrypted file that was found also included some activities of the Derusbi malware as it implemented an interactive Linux shell. 

The command and control structure of the protocol was found to be inspired by the  RedLeaves backdoor, a remote access trojan (RAT). Moreover, two different payloads were detected consisting of different version numbers, indicating that the malware is still under development.

According to a report shared with Cyber Security News, Earth Lusca is using server vulnerabilities to break into the victim’s network and deploy a web shell. Once inside the network, they install a Cobalt Strike for lateral movement. 

Furthermore, the threat group steals documents and email account credentials in order to further deploy advanced backdoors like ShadowPad and Winnti (Linux version) for persistent access into the affected systems.

Document
Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Vulnerabilities exploited by Earth Lusca

Earth Lusca leverages several critical and high vulnerabilities relating to an authentication bypass (CVE-2022-40684) and remote code execution (CVE-2022-39952, CVE-2021-22205, CVE-2019-18935, CVE-2019-9670 and CVE-2019-9621).

In addition, a set of three chained vulnerabilities can be combined together for performing a remote code execution. However, products affected by these vulnerabilities include Fortinet (FortiOS, FortiNAC, FortiProxy, and FortiSwitchManager), Zimbra Collaboration Suite, ASP.NET AJAX, GitLab, and Microsoft Exchange.

Trend Micro has published a complete report, which provides detailed information about the exploitation methods, payload components, and Attribution. 

Indicators of Compromise

Modified Mandibule Loader
65B27E84D9F22B41949E42E8C0B1E4B88C75211CBF94D5FD66EDC4EBE21B7359
Encrypted SprySOCKS payload (libmonitor.so.2)
6F84B54C81D29CB6FF52CE66426B180AD0A3B907E2EF1117A30E95F2DC9959FC
SprySOCKS (Decrypted)
F8BA9179D8F34E2643EE4F8BC51C8AF046E3762508A005A2D961154F639B2912
EEBD75AE0CB2B52B71890F84E92405AC30407C7A3FE37334C272FD2AB03DFF58
Delivery Server
207[.]148.75.122
SprySOCKS C&C server
lt76ux.confenos.shop
2e6veme8xs.bmssystemg188.us

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Website

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles