1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Chinese hackers are exploiting a new Linux backdoor to target nat

    From TechnologyDaily@1337:1/100 to All on Tue Sep 19 12:15:03 2023
    Chinese hackers are exploiting a new Linux backdoor to target national governments

    Date:
    Tue, 19 Sep 2023 12:05:57 +0000

    Description:
    Researchers claim Chinese group is running an espionage campaign, as they
    spot new backdoor versions in active development.

    FULL STORY ======================================================================

    A Chinese threat actor was observed targeting multiple governments around the world with a new Linux backdoor, according to new findings from Trend Micro.

    As reported by BleepingComputer , the group is called Earth Lusca, and has been active in the first half of the year, targeting government organizations in Southeast Asia, Central Asia, the Balkans, and elsewhere. The
    organizations were mostly focused on foreign affairs, technology, and telecommunications. Earth Luscas goal seems to be espionage.

    To compromise their targets endpoints, the group used multiple n-day unauthenticated remote code execution flaws, most of which were discovered
    and addressed between 2019 and 2022. Through these flaws, theyd drop Cobalt Strike beacons, which were later used to deploy a new Linux backdoor called SprySOCKS. Stealing files and more

    SprySOCKS is not brand new, though. Its code is a mix of multiple other malware variants, it was said, including the Trochilus open-source malware
    for Windows, a backdoor for the same OS called RedLeaves, and Derusbi, which is a Linux malware.

    Its key functionalities include system information harvesting, starting an interactive shell using the PTY subsystem, listing network connections, managing SOCKS proxy configurations, as well as the usual capabilities such
    as uploading and downloading files.

    Besides SprySOCKS, the group was seen dropping a Linux ELF injector dubbed mandibule, as well. Mandible itself was tweaked and changed, but in a relatively sloppy manner, it seems, as researchers found debug messages and symbols behind, indicating that the developers werent really paying attention that much.

    SprySOCKS, on the other hand, is in active development, the researchers concluded. So far, they managed to obtain two versions of the backdoor, including v1.1 and v.1.3.6.

    The best way to protect against such threats is to make sure all endpoints
    are patched regularly. More from TechRadar Pro Chinese hackers snooped on US telco traffic for years Here's a list of the best endpoint protection
    services Looking for a good firewall? Here are the best firewalls right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/chinese-hackers-are-exploiting-a-new-li nux-backdoor-to-target-national-governments


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)