A Chinese-language threat actor known as Earth Lusca has been spotted using a new backdoor called KTLVdoor as part of a cyber attack targeting an unnamed trading company in China.
The previously unreported malware is written in the Golang language and is therefore a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.
“KTLVdoor is a highly obfuscated malware that masquerades as various system utilities, allowing attackers to perform a variety of tasks including file manipulation, command execution, and remote port scanning,” Trend Micro researchers Cedric Pernet and Jaromir Khareisi said in an analysis published Wednesday.
Some of the tools that KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with malware distributed in the form of a dynamic link library (.dll) or shared object (.so).
Perhaps the most unusual aspect of the cluster of activity is the discovery of more than 50 command and control (C&C) servers, all hosted by the Chinese company Alibaba, which have been identified as communicating with variants of the malware, raising the possibility that the infrastructure may be shared with by other Chinese threat actors.
The land of Lusk is there of course be active from at least 2021, orchestrating cyber attacks against public and private sector organizations in Asia, Australia, Europe and North America. It is believed to share some tactical similarities with other invasion sets tracked as RedHotel and APT27 (aka Budworm, Emissary Panda and Iron tiger).
KTLVdoor, the latest addition to the group’s malware arsenal, is highly obfuscated and gets its name from the use of a token called “KTLV” in a configuration file that includes various parameters required to perform its functions, including C&C servers to connect to.
Once initialized, the malware initiates contact with the C&C server in a loop, waiting for further instructions to be executed on the compromised host. Supported commands allow you to download/upload files, list the file system, run an interactive shell, run shellcode, and initiate scans using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.
However, little is known about how the malware is distributed or whether it has been used to attack other organizations around the world.
“This new tool is used by Earth Lusca, but it can also be shared by other Chinese-speaking threat actors,” the researchers noted. “Seeing that the C&C servers were all on the IP addresses of Chinese supplier Alibaba, we wonder if the whole appearance of this new malware and C&C server could be some kind of early stage testing of new tools.”
