Hackers Deployed never-before-seen Linux Malware Attacking Government Entities

Recent reports indicate that threat actors have been using a new type of Linux-targeted backdoor that has never been seen before. This new backdoor has been named SprySOCKS, which uses the strings of Trochilus (Windows backdoor) and the new Socket Secure (SOCKS).

However, this threat vector is carried out by the Earth Lusca threat group. This China-linked attacking group targeted several government departments of foreign affairs, technology, and telecommunications in many countries, including Latin American and African countries.

This threat group has now been found to be targeting the public-facing servers of its victims and exploiting server-based N-day vulnerabilities as part of their operation. 

New Linux Malware

On further analyzing the new backdoor, it was discovered that the encrypted file that was found also included some activities of the Derusbi malware as it implemented an interactive Linux shell. 

The command and control structure of the protocol was found to be inspired by the  RedLeaves backdoor, a remote access trojan (RAT). Moreover, two different payloads were detected consisting of different version numbers, indicating that the malware is still under development.

According to a report shared with Cyber Security News, Earth Lusca is using server vulnerabilities to break into the victim’s network and deploy a web shell. Once inside the network, they install a Cobalt Strike for lateral movement. 

Furthermore, the threat group steals documents and email account credentials in order to further deploy advanced backdoors like ShadowPad and Winnti (Linux version) for persistent access into the affected systems.

Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Vulnerabilities exploited by Earth Lusca

Earth Lusca leverages several critical and high vulnerabilities relating to an authentication bypass (CVE-2022-40684) and remote code execution (CVE-2022-39952, CVE-2021-22205, CVE-2019-18935, CVE-2019-9670 and CVE-2019-9621).

In addition, a set of three chained vulnerabilities can be combined together for performing a remote code execution. However, products affected by these vulnerabilities include Fortinet (FortiOS, FortiNAC, FortiProxy, and FortiSwitchManager), Zimbra Collaboration Suite, ASP.NET AJAX, GitLab, and Microsoft Exchange.

Trend Micro has published a complete report, which provides detailed information about the exploitation methods, payload components, and Attribution. 

Indicators of Compromise

Modified Mandibule Loader
Encrypted SprySOCKS payload (libmonitor.so.2)
SprySOCKS (Decrypted)
Delivery Server
SprySOCKS C&C server

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT group and their ongoing RustBucket campaign.  As…

1 hour ago

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision of the .NET framework, the Serpent…

2 hours ago

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit operations on social media platforms. These…

4 hours ago

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been released, and it includes the advanced…

9 hours ago

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware. Trickbot, a suite of malware tools,…

11 hours ago

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's- DNS IP address allocation This organization manages…

15 hours ago