China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign

SprySOCKS melds features from multiple previously known badware and adds to the threat actors growing malware arsenal, Trend Micro says.

Earth Lusca, a China-linked cyber espionage actor thats been actively targeting government organizations in Asia, Latin America, and other regions since at least 2021 has begun using a Linux backdoor with features that appear inspired from multiple previously known malware tools.
The malware that researchers at
Trend Micro discovered
and are tracking as SprySOCKS, is firstly a Linux variant of Trochilus, a Windows remote access Trojan (RAT) whose code got leaked and became publicly available in 2017.
Trochilus has
multiple functions,
which include allowing threat actors to remotely install and uninstall files, log keystrokes, and do screen captures, file management, and registry editing. One core feature of the malware is its ability to enable lateral movement. According to Trend Micro, SprySOCKS main execution routine and strings show that it originated from Trochilus and had several of its functions reimplemented for Linux systems.
In addition, the Earth Lusca implementation of SprySOCKS interactive shell suggests it was inspired by the Linux version of
Derusbi
, a continuously evolving family of RATs that advanced persistent threat actors have been using since 2008. Also, SprySOCKS command-and-control (C2) infrastructure resembles one that threat actors associated with a second-stage RAT called
RedLeaves
have used in cyber espionage campaigns for more than five years, Trend Micro said.
Like other malware of its ilk, SprySOCKS incorporates multiple functions including collecting system information, initiating an interactive shell, listing network connections, and uploading and exfiltrating files.
But what makes SprySOCKS unique among Linux backdoors is its launching mechanism, Trend Micro researchers Joseph Chen and Jaromir Horejsi say. According to the two researchers, the main backdoor payload is encrypted on a disk and will only present in memory after the loader has decrypted and injected to itself. It is a mechanism that APT groups often use to target Windows systems, but not so much on Linux systems, the two researchers say.
Earth Lusca is a somewhat elusive threat actor that Trend Micro has observed since mid-2021, targeting organizations in southeast Asia and more recently in central Asia, the Balkans, Latin America, and Africa. Evidence suggests that the group is part of
Winnti
, a loose cluster of cyber espionage groups believed to be working on behalf of, or in support of, Chinese economic objectives.
Earth Luscas targets have included government and educational institutions, pro-democracy and human rights groups, religious groups, media organizations, and organizations conducting COVID-19 research. It has been especially interested in government agencies involved in foreign affairs, telecommunications, and technology. At the same time, while most of Earth Luscas attacks appear to be cyber espionage related, on occasion the adversary has gone after cryptocurrency and gambling firms as well, suggesting its also financially motivated, Trend Micro said.
Chen and Horejsi say that available telemetry suggests Earth Lusca might have potentially targeted as many as 150 organizations since the beginning of the year. Some of these have involved US targets, they note, pointing to a campaign earlier this year where the threat actor
exploited multiple vulnerabilities
in the Zimbra Collaboration Suite to breach enterprise networks, and another that impacted a
state legislature
.
In many of its attacks, the threat actor has used spear-phishing, common social engineering scams, and watering-hole attacks to try and get a foothold on a target network. Since the beginning of this year, Earth Lusca actors have also been aggressively targeting so-called n-day vulnerabilities in Web-facing applications to infiltrate victim networks. An n-day vulnerability is a flaw that a vendor has already disclosed but for which no patch is currently available. Recently, the threat actor has been highly aggressive in targeting the public-facing servers of its victims by exploiting known vulnerabilities, Trend Micro said.
Among the many such flaws that Earth Lusca has been observed exploiting this year are
CVE-2022-40684
, an authentication bypass vulnerability in Fortinets FortiOS and other technologies;
CVE-2022-39952
, a remote code execution (RCE) bug in Fortinet FortiNAC; and
CVE-2019-18935,
an RCE in Progress Telerik UI for ASP.NET AJAX. Other threat actors have exploited these bugs as well. CVE-2022-40684, for instance, is a flaw that a likely China-backed threat actor used in a widespread cyber espionage campaign dubbed
Volt Typhoon,
targeting organizations across multiple critical sectors including government, manufacturing, communication, and utilities.
Earth Lusca takes advantage of server vulnerabilities to infiltrate its victims networks, after which it will deploy a web shell and install Cobalt Strike for lateral movement, Trend Micro said in its report. The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti to conduct long-term espionage activities against its targets.
This story was updated on Sept. 20 with comments from Trend Micro researchers Joseph Chen and Jaromir Horejsi.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign