Researchers from Trend Micro have discovered a new backdoor for Linux which they have named SprySOCKS.
The origins of this new malware come from a 2015 Windows backdoor named Trochilus which executes and runs only in memory.
The threat actor who is believed to be behind Trochilus is tracked by many as APT10 – A.K.A. Stone Panda & MenuPass, however, other groups, such as Group 27 eventually used Trochilus, and its source code has been available on GitHub for more than six years.
Trochilus has been seen being used in campaigns that used a separate piece of malware known as RedLeaves which first surfaced in 2016 and targeted Microsoft Internet Explorer.
Identifying the new malware
Trend Micro’s researchers initially identified an encrypted binary file on a server known to be used by a group they had been tracking since 2021.
By searching VirusTotal for the file name, libmonitor.so.2, the researchers located an executable Linux file named mkmon which contained credentials capable of decrypting the libmonitor.so.2 file and recover its original payload.
This activity caused the Trend Micro researchers to conclude that “mkmon” is an installation file that delivered and decrypted libmonitor.so.2.
Trochilus DNA
The Linux malware ported several functions found in the Trochilus malware and combined them with a new Socket Secure (SOCKS) implementation.
The Trend Micro researchers thus named their discovery SprySOCKS, with “spry” denoting its swift behavior and the added SOCKS component.
SprySOCKS implements common backdoor capabilities, including collecting system information, opening an interactive remote shell, listing network connections, and creating a proxy based on the SOCKS protocol for uploading files and other data between the compromised system and the attacker-controlled command server.
Work in progress?
After decrypting the binary and finding SprySOCKS, the researchers used the information to search VirusTotal for related files. Their search turned up a version 1.1 of the malware.
The version Trend Micro found on the threat actor server was 1.3.6. These multiple versions suggest that the backdoor is currently still under refinement.
The command-and-control server that SprySOCKS connects to has major similarities to a server that was used in a campaign which used the RedLeaves malware.
Strings that appear in both Trochilus and RedLeaves also appear in the SOCKS component that was added to SprySOCKS. The SOCKS code was borrowed from HP-Socket, a high-performance network framework with Chinese origins.
Earth Lusca
Trend Micro is attributing SprySOCKS to a threat actor it has dubbed Earth Lusca who they first identified in 2021.
Earth Lusca targets organisations across the globe and uses social engineering to lure targets to watering-hole sites where targets are infected with malware. The gang have also used Cobalt Strike in some attacks to expand access once inside a victims network.
The gang’s main targets are government departments that are involved in foreign affairs, technology, and telecommunications.
Another malware used by Earth Lusca is Winntl which is a malware that has been in use for more than a decade as well as being the identifier for a host of distinct threat groups, all connected to the Chinese government.
Could Earth Lusca be an offshoot of APT10?
