Security News > 2023 > September > Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities

Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities
2023-09-19 11:10

The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America.

Active since 2021, the group has relied on spear-phishing and watering hole attacks to pull off its cyber espionage schemes.

The latest findings from the cybersecurity firm show that Earth Lusca continues to be an active group, even expanding its operations to target organizations across the world during the first half of 2023.

"The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets," security researchers Joseph C. Chen and Jaromir Horejsi said.

The server used to deliver Cobalt Strike and Winnti has also been observed to host SprySOCKS, which has its roots in the open-source Windows backdoor Trochilus.

At least two different samples of SprySOCKS have been identified to date, suggesting that the malware is being continually modified by the attackers to add new features.


News URL

https://thehackernews.com/2023/09/earth-luscas-new-sprysocks-linux.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232