Earth Lusca's cyberespionage techniques.
By Tim Nodar, CyberWire senior staff writer
Sep 19, 2023

Leaving the backdoor unlocked in upatched Linux systems.

Earth Lusca's cyberespionage techniques.

Trend Micro says the China-aligned threat actor “Earth Lusca” is using a new Linux backdoor based on the open-source Windows malware Trochilus. 

SprySOCKS, with an open source heritage.

Trend Micro calls the Linux variant “SprySOCKS.” The researchers note, “The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.”

Earth Lusca’s target list.

Earth Lusca has been targeting public-facing servers belonging to “government departments that are involved in foreign affairs, technology, and telecommunications.” The threat actor is primarily interested in countries in Southeast Asia, Central Asia, and the Balkans.

Pay attention to Linux patching.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that this is, again, a campaign that’s taking advantage of unpatched systems. “Most of the exploits being taken advantage of to spread this malware are 1-4 years old. Every victim is someone who essentially didn't do any patching or didn't do patching well, at least on their Linux systems,” he says. Linux needs attention, too, and it’s patches shouldn’t be overlooked. “ It's a wake up call for anyone with Linux systems that they still have to make sure they are patched. Just because they aren't Microsoft Windows computers doesn't mean you can neglect normal computer security policies and procedures. Running a Linux system doesn't make you magically unhackable. In fact, as this story shows, it can make you a leading candidate for exploitation.”