Security News > 2023 > September > New SprySOCKS Linux malware used in cyber espionage attacks
A Chinese espionage-focused hacker tracked as 'Earth Lusca' was observed targeting government agencies in multiple countries, using a new Linux backdoor dubbed 'SprySOCKS.'.
Trend Micro's analysis of the novel backdoor showed that it originates from the Trochilus open-source Windows malware, with many of its functions ported to work on Linux systems.
The malware appears to be a mixture of multiple malware as the SprySOCKS' command and control server communication protocol is similar to RedLeaves, a Windows backdoor.
In contrast, the implementation of the interactive shell appears to have been derived from Derusbi, a Linux malware.
This access is used to spread laterally on the network while exfiltrating files, stealing account credentials, and deploying additional payloads, like ShadowPad. The threat actors also use the Cobalt Strike beacons to drop the SprySOCKS loader, a variant of the Linux ELF injector called "Mandibule," which arrives on targeted machines in the form of a file named 'libmonitor.
Free Download Manager site redirected Linux users to malware for years.
News URL
Related news
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations (source)
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)
- China-Linked MirrorFace Deploys ANEL and AsyncRAT in New Cyber Espionage Operation (source)
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)