Earth Lusca reveals a new multiplatform Golang backdoor named KTLVdoor that targets Windows and Linux, enabling file manipulation, command execution, and remote port scanning while disguising itself as system utilities. The campaign uses sophisticated encryption and obfuscation with over 50 C2 servers hosted by Alibaba in China, suggesting shared infrastructure among multiple Chinese-speaking threat actors. #EarthLusca #KTLVdoor #Golang #Windows #Linux #Alibaba #IronTiger #VoidArachne
Keypoints
- Discovery of KTLVdoor, a multiplatform backdoor by Earth Lusca.
- Written in Golang, targeting both Windows and Linux.
- Highly obfuscated, masquerading as system utilities like sshd and java.
- Capabilities include file manipulation, command execution, and remote port scanning.
- Over 50 C&C servers identified, hosted by a China-based provider (Alibaba).
- Potential sharing of infrastructure with other Chinese-speaking threat actors.
- Complex configuration and communication methods using encryption and obfuscation.
- Organizations advised to use advanced security technologies for defense.
MITRE Techniques
- [T1071] Command and Control (C2) – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1203] Execution – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1003] Credential Access – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1041] Exfiltration Over Command and Control Channel – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1105] Remote File Copy – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1082] System Information Discovery – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
Indicators of Compromise
- [URL] External indicators – http://myip.ipip.net/, and https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion–/Indicators%20of%20Compromise%20-%20Earth%20Lusca%20Uses%20KTLVdoor%20Backdoor%20for%20Multiplatform%20Intrusion.txt
- [C2] C2 infrastructure – Alibaba-hosted servers in China; 50+ servers identified
- [File] Backdoor binaries – DLL, SO
Read more: https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html