A new Linux backdoor known as “SprySOCKS” has been discovered and linked to a Chinese APT group.
Security researchers have discovered a previously unknown Linux backdoor employed by a threat actor suspected of being related to the Chinese government. This new backdoor, known as “SprySOCKS,” appears to be based on the Windows backdoor “Trochilus,” which was discovered in 2015. Trochilus has been linked to the Chinese government-linked advanced persistent threat group APT10, also known as Stone Panda and MenuPass.
While Trochilus has been around for a while, its source code has been published on GitHub for over six years. As a result, other threat actors have been able to utilize and change the code for their own goals. Trend Micro analysts identified an encrypted binary file on a server used by a group they were following in June. When this file was decrypted, it resulted in the discovery of SprySOCKS, which combines Trochilus functionality with a new Socket Secure (SOCKS) implementation.
SprySOCKS offers standard backdoor features, such as gathering system information, launching an interactive remote shell, identifying network connections, and establishing a SOCKS proxy for data transit between the compromised system and a command server. The backdoor also contains file operations and manipulation capabilities.
SprySOCKS is linked to a threat actor known as “Earth Lusca,” which has been active since at least 2021 and predominantly targets Asian countries. Earth Lusca uses social engineering techniques to infect targets via watering-hole sites. This organization is financially motivated in addition to espionage, focused on businesses such as gambling and cryptocurrency.
The availability of this new Linux backdoor demonstrates the versatility of threat actors, particularly those linked to nation-states. It also emphasizes the significance of regular threat intelligence and monitoring in detecting developing risks.
To fight against growing dangers like SprySOCKS, security experts advise enterprises to remain cautious and establish effective security measures.
