[clug] New Linux server exploit "SprySOCKS"

steve jenkin sjenkin at canb.auug.org.au
Wed Sep 20 22:44:18 UTC 2023

A reminder that “Linux doesn’t get malware” isn’t true.

Advanced Persistent Threats are targeting Linux servers, here’s a new one.

Read the list of targets in the last piece, not just large Orgs
  - if you’re a small or medium outfit, you’ll be targeted at some point.

Note the line:
	"to conduct long-term espionage activities against its targets.”

“long-term” is 5+ years, hence “Persistent” in APT.

If you’re not already on top of cyber-security & actively monitoring
and defending your systems & networks, now is a good time to act.


Linux Threat Report: 
	Earth Lusca Deploys Novel SprySOCKS Backdoor in Attacks on Government Entities
	19 Sep 2023

	The threat actor Earth Lusca, linked to Chinese state-sponsored hacking groups, 
	has been observed utilizing a new Linux backdoor dubbed SprySOCKS to target government organizations globally. 

	As initially reported in January 2022 by Trend Micro, 
	Earth Lusca has been active since at least 2021 conducting cyber espionage campaigns
	 against public and private sector targets in Asia, Australia, Europe, and North America. 

	Their tactics include spear-phishing and watering hole attacks to gain initial access.

	After breaching internet-facing systems by exploiting flaws in 
		Fortinet, GitLab, Microsoft Exchange, Telerik UI, and Zimbra software, 
	Earth Lusca uses web shells and Cobalt Strike to move laterally. 


Chinese hackers have unleashed a never-before-seen Linux backdoor
	SprySOCKS borrows from open source Windows malware and adds new tricks.
	19 Sep 2023


Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
	While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server 
	— a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, 
	which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
	18 Sep 2023

	Earth Lusca is now aggressively targeting the public-facing servers of its victims. 
	Furthermore, we have seen them frequently exploiting server-based N-day vulnerabilities, including (but not limited to) the following:

	[ Table 1 of CVE’s ] 

	Earth Lusca takes advantage of server vulnerabilities to infiltrate its victim’s networks, 
	after which it will deploy a web shell and install Cobalt Strike for lateral movement. 

	The group intends to exfiltrate documents and email account credentials, 
	as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti 
	to conduct long-term espionage activities against its targets.


Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
	Our technical brief provides an in-depth look at Earth Lusca’s activities, the tools it employs in attacks, and the infrastructure it uses.
	17 Jan 2022

	Since mid-2021, we have been investigating a rather elusive threat actor called Earth Lusca t
	hat targets organizations globally via a campaign 
	that uses traditional social engineering techniques such as spear phishing and watering holes. 

	The group’s primary motivation seems to be cyberespionage: 
	the list of its victims includes high value targets such as 
		government and educational institutions, 
		religious movements, 
		pro-democracy and human rights organizations in Hong Kong, 
		Covid-19 research organizations, 
		and the media, 
		among others. 

	However, the threat actor also seems to be financially motivated, 
		as it also took aim at gambling and cryptocurrency companies.


Steve Jenkin, IT Systems and Design 
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA

mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list