Researchers have uncovered a new backdoor called KTLVdoor, which targets both Windows and Linux systems and is linked back to Chinese-speaking threat actor Earth Lusca.
Earth Lusca is group that has been active since at least April 2019 and has targeted organizations from various sectors globally, including the U.S., France, Germany and more. The group was observed leveraging the new Go language-based KTLVdoor, which has the capabilities to run commands, manipulate (as well as download or upload) files, provide attackers with system and network data, scan remote ports and use proxies.
“This previously unreported malware is more complex than the usual tools used by the threat actor,” said Cedric Pernet and Jaromir Horejsi with Trend Micro in a Wednesday analysis. “It is highly obfuscated and is being spread in the wild impersonating various system utilities names or similar tools, such as sshd, java, sqlite, bash, edr-agent, and more.”
Researchers didn’t have detailed insights into the campaign that leveraged the backdoor. For example, they couldn’t identify the full number of victims targeted with the backdoor, but said that one victim found is an unnamed trading company based in China. Researchers found that the backdoor is typically distributed as a library (either as SO or DLL). Horejsi said that researchers found a Windows sample of the malware in a malicious archive that was likely sent to victims via email.
The size of the infrastructure behind the malware is “very unusual,” said researchers. They found malware variants communicating with more than 50 command-and-control (C2) servers.
“In APT campaigns, we generally see less C2 servers. During APT operations that run for several months, or even a year, we see about a dozen C2 servers, sometimes a bit more,” said Horejsi. “Seeing [more than] 50 C2 [servers] in such a short period of time is very rare. Yet that is for cyberespionage. For usual cybercrime, we often see much more C2 servers, as they are generally quickly discovered and replaced by attackers. It is not rare to see more than a hundred different C2 servers in some cybercrime campaigns.”
Researchers tied some of the malware samples to Earth Lusca with “high confidence,” but the number of C2 servers could indicate that the infrastructure is being shared with other Chinese-speaking threat actors. Chinese threat actors have previously been seen sharing infrastructure or malware builders, such as the PlugX malware.
“Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling,” said researchers.