Earth Lusca adds multiplatform malware KTLVdoor to its arsenal

The Chinese-speaking threat actor Earth Lusca used the new backdoor KTLVdoor in an attack against a trading company in China.

Trend Micro Researchers spotted the Chinese-speaking threat actor Earth Lusca using a new multiplatform backdoor called KTLVdoor. The Earth Lusca group has been active since at least the first half of 2023, it primarily targeted organizations in Southeast Asia, Central Asia, and the Balkans. The group focuses on government departments that are involved in foreign affairs, technology, and telecommunications.

The group is targeting public-facing servers attempting to exploit server-based N-day vulnerabilities

KTLVdoor is written in Golang, but experts also detected versions for both Windows and Linux. The malware is highly obfuscated and disguises itself as system utilities, allowing attackers to perform tasks like file manipulation, command execution, and remote port scanning. The malware supports advanced encryption and obfuscation techniques to complicate malware analysis and hide its operations.

Attackers spread the backdoor as a dynamic library (DLL, SO), the malware allows attackers to fully control the compromised environment. The backdoor allows to run commands, manipulate files, provide system and network information, using proxies, download/upload files, scan remote ports and more.

Trend Micro warns the campaign linked to the KTLVdoor malware is extensive, they already discovered over 50 command-and-control (C&C) servers, all hosted on Alibaba in China, communicating with different malware variants. While many of the samples are confidently tied to the Earth Lusca threat actor, it’s unclear if the entire infrastructure is exclusive to them. It may also be shared with other Chinese-speaking threat actors.

“Most of the samples discovered in this campaign are obfuscated: embedded strings are not directly readable, symbols are stripped and most of the functions and packages were renamed to random Base64-like looking strings, in an obvious effort from the developers to slow down the malware analysis ” reads the analysis published by Trend Micro.

KTLVdoor masquerades as different system utilities, including sshd, Java, SQLite, bash, and edr-agent.

Upon executing the backdoor, it continuously communicates with its C2 server, awaiting instructions. It supports commands for downloading/uploading files, exploring the file system, launching an interactive shell, executing shellcode, and conducting various scans (e.g., TCP, RDP, TLS, Ping, Web).

The communication relies on GZIP-compressed and AES-GCM-encrypted messages. Each message can be delivered in simplex mode (one device on channel can only send, another device on the channel can only receive) or in duplex mode (both devices can simultaneously send and receive messages).

It is still unclear how Earth Lusca distributes the new backdoor KTLVdoor.

“We have been able to tie samples of KTLVdoor to the threat actor Earth Lusca with high confidence. However, we were not able to tie several other samples of this malware family to this threat actor. In addition, the size of the infrastructure we have been able to discover is very unusual.” concludes the report that includes Indicators of Compromise (IoCs). “Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)