Novel China-linked Linux backdoor exploits organizations that fail to patch old vulnerabilities

Linux backdoor: A digital render of a red, microchip-like pattern with semi-transparent white representations of an open padlock and skull and crossbones overlaid on top, alongside the text DATA LEAK, SECURITY, and EXPLOIT FOUND to represent data theft.
(Image credit: Getty Images)

Security researchers have issued a warning over a “never before seen” Linux backdoor vulnerability being exploited by Chinese government-linked threat actors. 

Dubbed ‘ SprySOCKS’, Trend Micro threat researchers Joseph C Chen and Jaromir Horejsi said the strain’s execution routine and strings indicate that it likely originates from the Trochilus Windows backdoor.

It also appears to inherit features from other backdoors. Its command and control (C2) infrastructure, for example, shows similarities with the RedLeaves backdoor, a remote access trojan (RAT) that also targets Windows and is thought to be based on Trochilus.

Looking at previous Linux backdoors, researchers also spotted similarities between SprySOCKS and earlier strains such as Derusbi malware which is believed to have provided inspiration for the latest version.

Those behind the latest Linux strain appear to have taken some of the core features of the Windows versions on which it’s based and re-engineered them to target Linux.

The function for collecting machine information (CollectInfo), for example, bears similarities to the CLIENT_INFO_Structure function found in Trochilus, in some cases sharing parameter names.

Functionalities of the SprySOCKS malware strain target a number of areas, Trend Micro said. This includes collecting system information, such as operating system details, memory, IP address details, and CPU information. 

Similarly, the backdoor also enables threat actors to observe and list network connections, as well as upload and download files. 

Other “basic file operations”, such as the creation, renaming, and deletion of directories were also highlighted by researchers.

The malware’s makeup suggests the attacker’s goals are to establish long-term access to its target machines. 

Analysis of the malware showed that, once installed, it attempts to exploit known and already-patched vulnerabilities - known as n-days - on the victim’s servers. 

Swipe to scroll horizontally
CVE-2022-40684 An authentication bypass vulnerability in Fortinet FortiOS, FortiProxy and FortiSwitchManager
CVE-2022-39952An unauthenticated remote code execution (RCE) vulnerability in Fortinet FortiNAC
CVE-2021-22205An unauthenticated RCE vulnerability in GitLab CE/EE
CVE-2019-18935An unauthenticated remote code execution vulnerability in Progress Telerik UI for ASP.NET AJAX
CVE-2019-9670 / CVE-2019-9621A bundle of two vulnerabilities for unauthenticated RCE in Zimbra Collaboration Suite
ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)A set of three chained vulnerabilities that perform unauthenticated RCE in Microsoft Exchange

Successful exploitation of the vulnerabilities led to web shells being dropped and Cobalt Strike’s installation to grant attackers more capabilities for movement around and access to the victim’s environment.

Researchers made note of the fact that SprySOCKS contains a marker that refers to the malware’s version number. During the analysis, researchers found two different version numbers which they said suggest the malware is still under development.

China-linked attacks

SprySOCKS appears to be playing an extensive role in the activity of a threat actor tracked by Trend Micro as ‘Earth Lusca’. Other organizations also note that the group has overlapping activity with the group tracked as TAG-22 - believed to also be a China state-linked threat actor.  

“Earth Lusca remained active during the first half of 2023, with its attacks focusing primarily on countries in Southeast Asia, Central Asia, and the Balkans,” researchers said. 

“The group’s main targets are government departments that are involved in foreign affairs, technology, and telecommunications.”

Trend Micro further warned that the group is now “aggressively targeting” public-facing servers of its victims. As such, the firm advised organizations to “properly manage” their attack surfaces to minimize potential entry points and prevent a breach. 


A Cisco’s guide to log management for cybersecurity

(Image credit: Graylog)

Gain the ability to collect, aggregate, and correlate data more effectively


“Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and overall performance,” researchers said. 

Roger Grimes, data-driven defense evangelist at KnowBe4, told ITPro that the emergence of SprySOCKS should serve as a “wake-up call” for organizations running Linux systems. 

“Every victim is someone who essentially didn't do any patching or didn't do patching well, at least on their Linux systems” he said. 

“It's a wake-up call for anyone with Linux systems that they still have to make sure they are patched.”

“Just because they aren't Microsoft Windows computers doesn't mean you can neglect normal computer security policies and procedures. Running a Linux system doesn't make you magically unhackable. In fact, as this story shows, it can make you a leading candidate for exploitation,” he added.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.