Earth Lusca Expands Arsenal with SprySocks Linux Malware

Cyber Security Threat Summary:
China-linked threat group Earth Lusca has deployed a new Linux malware called SprySOCKS in a recent cyber espionage campaign. Researchers at Trend Micro discovered this malware while tracking Earth Lusca's activities. SprySOCKS, based on an open-source Windows backdoor called Trochilus, was adapted for Linux. Earth Lusca continues to develop it, as evidenced by different versions detected.

The group primarily targets government departments in Southeast Asia, Central Asia, and the Balkans, exploiting N-day vulnerabilities in servers, including those in Fortinet, GitLab, Progress Telerik, Zimbra Collaboration Suite, Microsoft Exchange, and ProxyShell. Once inside, they deploy various tools for lateral movement and data theft.

SprySOCKS disguises itself as "kworker/0:22" to avoid detection and uses AES-ECB encryption for communication. It supports commands for system info, interactive shell, network connections, SOCKS proxy, and file operations.

Security Officer Comments:
This information is vital as it reveals the evolving strategies of advanced cyber attackers like Earth Lusca. Their use of the new malware, SprySOCKS, highlights the persistent nature of cyber threats. It emphasizes the importance of organizations staying vigilant, updating security, and proactively defending against known and emerging threats. Earth Lusca's focus on sensitive government areas like foreign affairs and technology underscores the need for strong cybersecurity in both public and private sectors, with potential national security implications.

Suggested Correction(s):
A patch management policy is a documented set of guidelines and procedures that an organization follows to effectively manage and maintain software patches and updates on its computer systems, network devices, and other IT infrastructure components:

The group is targeting public-facing servers attempting to exploit server-based N-day vulnerabilities, including:

  • CVE-2022-40684: An authentication bypass vulnerability in Fortinet FortiOS, FortiProxy and FortiSwitchManagerCVE-2022-39952: An unauthenticated remote code execution (RCE) vulnerability in Fortinet FortiNAC
  • CVE-2021-22205: An unauthenticated RCE vulnerability in GitLab CE/EE
  • CVE-2019-18935: An unauthenticated remote code execution vulnerability in Progress Telerik UI for ASP.NET AJAX
  • CVE-2019-9670 / CVE-2019-9621: A bundle of two vulnerabilities for unauthenticated RCE in Zimbra Collaboration Suite
  • ProxyShell (CVE-2021-34473, CVE-2021-34523v, CVE-2021-31207): A set of three chained vulnerabilities that perform unauthenticated RCE in Microsoft Exchange