Security News > 2023 > September > Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities

The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America.

Active since 2021, the group has relied on spear-phishing and watering hole attacks to pull off its cyber espionage schemes.

The latest findings from the cybersecurity firm show that Earth Lusca continues to be an active group, even expanding its operations to target organizations across the world during the first half of 2023.

"The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets," security researchers Joseph C. Chen and Jaromir Horejsi said.

The server used to deliver Cobalt Strike and Winnti has also been observed to host SprySOCKS, which has its roots in the open-source Windows backdoor Trochilus.

At least two different samples of SprySOCKS have been identified to date, suggesting that the malware is being continually modified by the attackers to add new features.

News URL

https://thehackernews.com/2023/09/earth-luscas-new-sprysocks-linux.html