Keypoints
- Researchers recovered and decrypted a Linux backdoor (SprySOCKS) from Earth Lusca’s delivery server; the payload shows code origins from the Trochilus open-source RAT.
- The initial loader is based on the public mandibule ELF injector (mkmon) and contains debug symbols and leftover messages, indicating minimal modification.
- Loader behavior: decrypts an AES-ECB-encrypted second stage, copies itself and the payload to /usr/sbin, and uses chkconfig or systemd to establish persistence while optionally self-deleting.
- SprySOCKS C2 uses TCP packets with a 0x12-byte header and a base64-encoded, AES-ECB-encrypted payload; C2 address and port are hard-coded and visible in plaintext.
- The RAT supports common backdoor functions including system information collection, an interactive PTY shell, file upload/download, and creation/forwarding of SOCKS proxies.
- Earth Lusca leverages public-facing server vulnerabilities to gain access, deploy web shells and Cobalt Strike, and aims to exfiltrate documents and email credentials for long-term espionage.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Actor exploited server vulnerabilities and N-day flaws to infiltrate targets (‘exploiting server-based N-day vulnerabilities’).
- [T1543.003] Create or Modify Systemd Service – Loader establishes persistence by copying itself to /usr/sbin and using chkconfig or systemd to start as a service (‘uses chkconfig or systemd to start the loader as a service’).
- [T1036] Masquerading – Loader renames its process to “kworker/0:22” to blend in with legitimate kernel worker threads (‘the name of the process is set to “kworker/0:22″‘).
- [T1027] Obfuscated Files or Information – The second-stage payload is AES-ECB encrypted with a hard-coded password, hiding its contents (‘The second stage is encrypted with an AES-ECB cipher, with the password being hard-coded in the loader.’).
- [T1071] Application Layer Protocol – Backdoor implements a custom C2 protocol over TCP using a fixed header and base64-encoded AES-ECB messages for command/control (‘C&C communication consists of packets sent via TCP … base64-encoded, AES-ECB-encrypted message’).
- [T1059.004] Unix Shell – SprySOCKS spawns an interactive PTY-based shell using execve and sets environment variables to suppress history (‘execve … with the parameter “[diskio]” … HISTFILE=/dev/null’).
- [T1041] Exfiltration Over C2 Channel – The actor uses the implanted tools to exfiltrate documents and email account credentials (‘intends to exfiltrate documents and email account credentials’).
- [T1021] Remote Services – Actor deploys Cobalt Strike to move laterally within victim networks (‘deploy a web shell and install Cobalt Strike for lateral movement’).
Indicators of Compromise
- [IP Address] delivery/C2 server – 207[.]148[.]75[.]122 (hosted encrypted SprySOCKS payload), 38[.]60[.]199[.]208 (related resolution overlap)
- [Domain] C2 and infrastructure – lt76ux[.]confenos[.]shop (SprySOCKS C2), 2e6veme8xs[.]bmssystemg188[.]us (alternate C2), and other related domains (rvxzn49eghqj[.]bmssystemg188[.]us, itcom666[.]live)
- [File name] loader & payload – libmonitor.so.2 (encrypted payload on delivery server), mkmon (ELF loader used to decrypt payload)
- [File hash] loader ELF – SHA256: 65b27e84d9f22b41949e42e8c0b1e4b88c75211cbf94d5fd66edc4ebe21b7359 (named “mkmon”)
The technical procedure began with identifying an encrypted file (libmonitor.so.2) on the actor’s delivery server and locating a corresponding ELF loader (“mkmon”, SHA256 65b27e84…) on VirusTotal that decrypts the payload. The loader is derived from the public mandibule ELF injector: the actor removed injection-to-other-process functionality but left debug symbols and messages, and added AES-ECB decryption using a hard-coded password. The loader accepts the encrypted-stage path and a self-delete flag, copies itself and the stage to /usr/sbin, sets its process name to “kworker/0:22” to evade casual inspection, and establishes persistence via chkconfig or systemd; if configured it will delete the originally executed files after deployment.
Decryption reveals SprySOCKS, a statically compiled Linux RAT using the HP-Socket framework. Its C2 configuration (address and port) is hard-coded in plaintext, and communication uses TCP packets with a 0x12-byte header followed by a base64-encoded, AES-ECB-encrypted payload. Decoded messages expose keys like “__handler”, “__msgid”, “__serial”, and “clientid”, and the RAT implements commands for collecting CLIENT_INFO, spawning an interactive PTY-based shell (via /dev/ptmx and execve with HISTFILE=/dev/null), listing network connections, file upload/download, and managing SOCKS proxies (create, forward, terminate). Client ID generation concatenates the first non-loopback interface MAC and CPUID-derived bytes, producing a 28-character hex string identifier.
Operationally, Earth Lusca exploited public-facing server vulnerabilities to deploy web shells, deliver SprySOCKS and additional tooling such as Cobalt Strike and Linux Winnti, and used those implants to move laterally and exfiltrate documents and email credentials. Key IOCs observed include delivery IP 207[.]148[.]75[.]122, C2 domains lt76ux[.]confenos[.]shop and 2e6veme8xs[.]bmssystemg188[.]us, the loader filename mkmon/libmonitor.so.2, and the loader SHA256 noted above.
Read more: https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html