Chinese APT Earth Lusca Adds SprySOCKs Backdoor to its Arsenal

More about SprySOCKS

• The backdoor employs the 'HP-Socket' networking framework known for its high performance, while it employs AES-ECB encryption for securing its TCP communications with the C2 server.
• This innovative malware possesses several key functions, including gathering system information, initiating an interactive shell that utilizes the PTY subsystem, enumerating network connections, and managing SOCKS proxy configurations.
• Additionally, it is capable of executing fundamental file operations, which encompass uploading, downloading, listing, deleting, renaming, and creating directories.

Tracing the malware's origin

• The malware borrows much of its source code from Trochilus open-source Windows backdoor. 
• The malware’s implementation of the interactive shell appears to be inspired by the Linux variant of Derusbi malware. 
• The structure of SprySOCK’s C2 protocol is similar to the one used by the RedLeaves backdoor.

Earth Lusca’s recent activity

• Currently, the group is attempting to exploit several n-day RCE vulnerabilities dated between 2019 and 2022 to compromise public-facing servers.
• These flaws are abused to deploy a web shell and install a Cobalt Strike beacon for lateral movement.  
• During the later stages of infection, the group intends to exfiltrate documents and email account credentials and deploy advanced backdoors such as ShadowPad and the Linux variant of Winnti.

Conclusion