Security researchers have issued a warning over a “never before seen” Linux backdoor vulnerability being exploited by Chinese government-linked threat actors.
Dubbed ‘ SprySOCKS’, Trend Micro threat researchers Joseph C Chen and Jaromir Horejsi said the strain’s execution routine and strings indicate that it likely originates from the Trochilus Windows backdoor.
It also appears to inherit features from other backdoors. Its command and control (C2) infrastructure, for example, shows similarities with the RedLeaves backdoor, a remote access trojan (RAT) that also targets Windows and is thought to be based on Trochilus.
Looking at previous Linux backdoors, researchers also spotted similarities between SprySOCKS and earlier strains such as Derusbi malware which is believed to have provided inspiration for the latest version.
Those behind the latest Linux strain appear to have taken some of the core features of the Windows versions on which it’s based and re-engineered them to target Linux.
The function for collecting machine information (CollectInfo), for example, bears similarities to the CLIENT_INFO_Structure function found in Trochilus, in some cases sharing parameter names.
Functionalities of the SprySOCKS malware strain target a number of areas, Trend Micro said. This includes collecting system information, such as operating system details, memory, IP address details, and CPU information.
Similarly, the backdoor also enables threat actors to observe and list network connections, as well as upload and download files.
Other “basic file operations”, such as the creation, renaming, and deletion of directories were also highlighted by researchers.
The malware’s makeup suggests the attacker’s goals are to establish long-term access to its target machines.
Analysis of the malware showed that, once installed, it attempts to exploit known and already-patched vulnerabilities - known as n-days - on the victim’s servers.
| CVE-2022-40684 | An authentication bypass vulnerability in Fortinet FortiOS, FortiProxy and FortiSwitchManager |
| CVE-2022-39952 | An unauthenticated remote code execution (RCE) vulnerability in Fortinet FortiNAC |
| CVE-2021-22205 | An unauthenticated RCE vulnerability in GitLab CE/EE |
| CVE-2019-18935 | An unauthenticated remote code execution vulnerability in Progress Telerik UI for ASP.NET AJAX |
| CVE-2019-9670 / CVE-2019-9621 | A bundle of two vulnerabilities for unauthenticated RCE in Zimbra Collaboration Suite |
| ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) | A set of three chained vulnerabilities that perform unauthenticated RCE in Microsoft Exchange |
Successful exploitation of the vulnerabilities led to web shells being dropped and Cobalt Strike’s installation to grant attackers more capabilities for movement around and access to the victim’s environment.
Researchers made note of the fact that SprySOCKS contains a marker that refers to the malware’s version number. During the analysis, researchers found two different version numbers which they said suggest the malware is still under development.
China-linked attacks
SprySOCKS appears to be playing an extensive role in the activity of a threat actor tracked by Trend Micro as ‘Earth Lusca’. Other organizations also note that the group has overlapping activity with the group tracked as TAG-22 - believed to also be a China state-linked threat actor.
“Earth Lusca remained active during the first half of 2023, with its attacks focusing primarily on countries in Southeast Asia, Central Asia, and the Balkans,” researchers said.
“The group’s main targets are government departments that are involved in foreign affairs, technology, and telecommunications.”
Trend Micro further warned that the group is now “aggressively targeting” public-facing servers of its victims. As such, the firm advised organizations to “properly manage” their attack surfaces to minimize potential entry points and prevent a breach.
Gain the ability to collect, aggregate, and correlate data more effectively
DOWNLOAD FOR FREE
“Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and overall performance,” researchers said.
Roger Grimes, data-driven defense evangelist at KnowBe4, told ITPro that the emergence of SprySOCKS should serve as a “wake-up call” for organizations running Linux systems.
“Every victim is someone who essentially didn't do any patching or didn't do patching well, at least on their Linux systems” he said.
“It's a wake-up call for anyone with Linux systems that they still have to make sure they are patched.”
“Just because they aren't Microsoft Windows computers doesn't mean you can neglect normal computer security policies and procedures. Running a Linux system doesn't make you magically unhackable. In fact, as this story shows, it can make you a leading candidate for exploitation,” he added.
