Security News > 2023 > September > Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America.
Active since 2021, the group has relied on spear-phishing and watering hole attacks to pull off its cyber espionage schemes.
The latest findings from the cybersecurity firm show that Earth Lusca continues to be an active group, even expanding its operations to target organizations across the world during the first half of 2023.
"The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets," security researchers Joseph C. Chen and Jaromir Horejsi said.
The server used to deliver Cobalt Strike and Winnti has also been observed to host SprySOCKS, which has its roots in the open-source Windows backdoor Trochilus.
At least two different samples of SprySOCKS have been identified to date, suggesting that the malware is being continually modified by the attackers to add new features.
News URL
https://thehackernews.com/2023/09/earth-luscas-new-sprysocks-linux.html
Related news
- Red Hat warns of backdoor in XZ tools used by most Linux distros (source)
- Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) (source)
- Malicious SSH backdoor sneaks into xz, Linux world's data compression library (source)
- Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros (source)
- XZ Utils backdoor update: Which Linux distros are affected and what can you do? (source)
- New XZ backdoor scanner detects implant in any Linux binary (source)
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)
- Kimsuky hackers deploy new Linux backdoor via trojanized installers (source)
- Kimsuky hackers deploy new Linux backdoor in attacks on South Korea (source)
- Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks (source)