Latest Cross-Platform Malware KTLVdoor Identified in Breach on Chinese Trading Company
Earth Lusca, a threat actor fluent in Chinese, has been spotted deploying a fresh backdoor known as KTLVdoor during a cyber breach on an undisclosed trading organization in China.
The newly uncovered software, coded in Golang, serves as a universal tool that can infiltrate both Microsoft Windows and Linux networks seamlessly.
“KTLVdoor is a heavily disguised malware that pretends to be various system tools, enabling attackers to perform a wide range of tasks such as altering files, executing commands, and remotely scanning ports,” outlined Trend Micro researchers Cedric Pernet and Jaromir Horejsi in a report released on Wednesday.
The malware crafted by KTLVdoor often impersonates tools like sshd, Java, SQLite, bash, and edr-agent, and it’s circulated in the form of either a dynamic-link library (.dll) or a shared object (.so).
An uncommon discovery within the incident is the unearthing of over 50 command-and-control (C&C) servers, all hosted by the Chinese company Alibaba, which have been correlated with various iterations of this malware, raising speculation on the potential sharing of infrastructure among different Chinese threat actors.
Earth Lusca has been reportedly active since at least 2021, carrying out cyber intrusions on both public and private organizations in Asia, Australia, Europe, and North America. It is believed to share some strategic similarities with other intruders such as RedHotel and APT27 (also known as Budworm, Emissary Panda, and Iron Tiger).
The addition of KTLVdoor to the group’s weaponry adds to the concern as the malware is well-hidden and its naming derived from a “KTLV” marker present in its configuration file, housing vital parameters required for its operations, including the C&C servers to establish connections with.
Upon activation, the malware establishes contact with the C&C server continuously, ready to execute further instructions on the compromised machine. The supported commands enable it to retrieve/send files, list file systems, launch a command shell, execute shellcode, and initiate scans using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.
Despite the above, little information is available on how the malware is disseminated and whether it has been used against other targets globally.
“This new weapon is utilized by Earth Lusca, but it’s possible that it could be shared with other Chinese-speaking threat actors,” pointed out the researchers. “Given that all C&C servers were on IP addresses originating from the Chinese-based provider Alibaba, it raises questions about whether this new malware and the C&C infrastructure might be part of an experimental phase to test new tools.”
About Author
