Earth Lusca's SprySOCKS Linux Backdoor Targets Governments

Introduction

In the ever-evolving landscape of cybersecurity, new threats emerge that challenge even the most prepared organizations. One such threat has recently been observed, targeting government entities with a previously unknown Linux backdoor. This advisory aims to provide a comprehensive overview of this threat, its significance, potential risks, and recommendations from Enterprotect on how to mitigate its impact.

What is the Threat?

The threat in question is a Linux backdoor named SprySOCKS. This backdoor has its origins in the Trochilus open-source Windows malware, with many of its functions adapted to operate on Linux systems. The threat actor behind this campaign, known as Earth Lusca, has a history of targeting government departments, especially those involved in foreign affairs, technology, and telecommunications. Their modus operandi involves exploiting known security vulnerabilities in public-facing servers, such as Fortinet, GitLab, Microsoft Exchange Server, Pregress Telerik UI, and Zimbra, to drop web shells and deliver Cobalt Strike for lateral movement within the network. The continuous development of SprySOCKS is evident from the detection of samples with varying version numbers.

Why is it Noteworthy?

SprySOCKS stands out due to its unique blend of malware characteristics. Its command and control (C2) communication protocol bears resemblance to RedLeaves, a known Windows backdoor. Meanwhile, its implementation shell appears to be derived from Derusbi, a Linux malware. The backdoor is loaded using a variant of an ELF injector component known as mandibule. Once active, SprySOCKS can gather system information, initiate an interactive shell, manage SOCKS proxy, and execute various file and directory operations.

What is the Exposure or Risk?

Earth Lusca's introduction of SprySOCKS marks a significant expansion of their Linux-based tools. The group has shown increased aggression in targeting public-facing servers, exploiting known vulnerabilities to gain access. Once inside, they utilize Cobalt Strike beacons for remote access, file exfiltration, credential theft, and payload deployment. Additionally, they deploy the SprySOCKS loader, which arrives as a file named “libmonitor.so.2.” To avoid detection, the loader operates under the name “kworker/0:22,” mimicking a Linux kernel worker thread. This loader decrypts the SprySOCKS payload and ensures its persistence on the compromised system.

What are the Recommendations?

Enterprotect advises organizations to take the following measures to defend against SprySOCKS and similar threats:

1. Attack Surface Management: Proactively manage and minimize potential entry points into your system. This reduces the chances of a successful breach.

2. Regular Updates: Ensure that all tools, software, and systems are regularly updated and patched. This not only ensures optimal performance but also plugs known security vulnerabilities.

3. Adopt Advanced Security Solutions: Implement flexible and advanced security solutions tailored to defend against sophisticated threat actors like Earth Lusca.