Researchers have recently uncovered a previously unknown backdoor for Linux that is being used by a threat actor associated with the Chinese government. This new backdoor, known as SprySOCKS, originates from a Windows backdoor called Trochilus, which was first identified by researchers from Arbor Networks, now Netscout, in 2015. Trochilus was known for executing and running solely in memory, making it difficult to detect.
NHS Digital researchers in the UK have attributed Trochilus to APT10, an advanced persistent threat group linked to the Chinese government and also known as Stone Panda and MenuPass. Over the years, other groups have utilized Trochilus, and its source code has been available on GitHub for over six years.
Trochilus has been observed in campaigns that involve a separate piece of malware called RedLeaves. In June, researchers from security firm Trend Micro discovered an encrypted binary file on a server associated with a group they had been tracking since 2021. This file, named “libmonitor.so.2,” led them to an executable Linux file called “mkmon,” which contained credentials to decrypt the original payload in libmonitor.so.2. “Mkmon” was identified as an installation file for delivering and decrypting libmonitor.so.2. This discovery marked the emergence of SprySOCKS.
SprySOCKS incorporates functionalities found in Trochilus and introduces a new implementation of a Socket Secure (SOCKS) protocol. It features typical backdoor capabilities, such as collecting system information, establishing an interactive remote shell, listing network connections, and creating a proxy based on the SOCKS protocol for transferring files and other data between the compromised system and the attacker’s command server.
Trend Micro researchers named their finding SprySOCKS, with “spry” highlighting its swift behavior, and “SOCKS” representing the added SOCKS component. SprySOCKS utilizes various message IDs to perform specific tasks, including machine information retrieval, starting an interactive shell, listing network connections, sending packets, creating SOCKS proxies, uploading and downloading files, enumerating files, and performing directory operations.
The analysis of SprySOCKS revealed that it is currently under development, as multiple versions of the backdoor were discovered. The command and control server utilized by SprySOCKS bears similarities to a server that was associated with a campaign involving the Windows malware RedLeaves, which is also based on Trochilus. The shared code between Trochilus, RedLeaves, and SprySOCKS suggests a connection between these malware variants.
Trend Micro has attributed SprySOCKS to a threat actor called Earth Lusca. This group was first identified by the researchers in 2021 and primarily targets government organizations in Asia through social engineering attacks. Earth Lusca appears to have both espionage and financial motivations, with a particular interest in gambling and cryptocurrency companies. The same server hosting SprySOCKS was also distributing payloads such as Cobalt Strike and Winnti, indicating the group’s expansive capabilities.
Trend Micro’s report provides valuable information, including IP addresses and file hashes, that individuals and organizations can use to identify if they have been compromised by SprySOCKS or related threats. It serves as a reminder of the importance of maintaining robust security measures to protect against sophisticated cyber threats, especially those associated with nation-state actors.