Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
A poorly studied malware leaves no chance for specialists to study.
Trend Micro specialists have discovered a new multi-platform backdoor KTLVdoor from the Chinese group Earth Lusca. KTLVdoor is developed in Golang and has versions for Windows and Linux.
The previously unknown malware is significantly more sophisticated than the tools that Earth Lusca typically uses. The virus is highly obfuscated and spreads under names similar to system utilities, such as sshd, java, sqlite, bash, and others. The main purpose of KTLVdoor is to provide full control over the infected system. The backdoor allows you to execute commands, manipulate files, collect system and network information, download and upload files, and scan remote ports, among other things.
The researchers were able to discover more than 50 command-and-control (C2) servers that communicate with different versions of KTLVdoor. All servers are located on the Chinese platform Alibaba. Despite the fact that some of the detected KTLVdoor samples are clearly associated with the Earth Lusca group, it is possible that the infrastructure could be used by other Chinese-speaking cybercriminals.
At the moment, it has been possible to identify one victim - a trading company from China. This is not the first time that Chinese hackers have targeted companies in their country. Similar incidents have been observed involving other well-known bands such as Iron Tiger and Void Arachne.
Most of the KTLVdoor samples are obfuscated: strings and characters are encoded and cannot be read directly. Malware is intentionally obfuscated in order to make analysis difficult. The virus configuration is stored in a special TLV format, where parameters and their values are specified, including operating mode, data on C2 servers, proxy servers, protocols used (HTTP, TCP, etc.).
After activating the configuration, the virus begins to interact with C2 servers, sending and receiving encrypted messages. Depending on the settings, communication can take place both in simplex mode (one-way data transfer) and in duplex mode (two-way transmission).
Among the detected functions of the virus are uploading and downloading files, scanning ports, collecting information about the system, managing processes, as well as working with proxy servers. The malware allows you not only to control infected devices, but also to execute various commands on them.
The researchers noted that despite clear signs of a link to the Earth Lusca group, not all virus samples can be unambiguously linked to the group. The size of the infrastructure and the number of servers involved are atypical for such attacks. Perhaps this is part of testing new tools or distributing them to other hacker groups.
Source
Trend Micro specialists have discovered a new multi-platform backdoor KTLVdoor from the Chinese group Earth Lusca. KTLVdoor is developed in Golang and has versions for Windows and Linux.
The previously unknown malware is significantly more sophisticated than the tools that Earth Lusca typically uses. The virus is highly obfuscated and spreads under names similar to system utilities, such as sshd, java, sqlite, bash, and others. The main purpose of KTLVdoor is to provide full control over the infected system. The backdoor allows you to execute commands, manipulate files, collect system and network information, download and upload files, and scan remote ports, among other things.
The researchers were able to discover more than 50 command-and-control (C2) servers that communicate with different versions of KTLVdoor. All servers are located on the Chinese platform Alibaba. Despite the fact that some of the detected KTLVdoor samples are clearly associated with the Earth Lusca group, it is possible that the infrastructure could be used by other Chinese-speaking cybercriminals.
At the moment, it has been possible to identify one victim - a trading company from China. This is not the first time that Chinese hackers have targeted companies in their country. Similar incidents have been observed involving other well-known bands such as Iron Tiger and Void Arachne.
Most of the KTLVdoor samples are obfuscated: strings and characters are encoded and cannot be read directly. Malware is intentionally obfuscated in order to make analysis difficult. The virus configuration is stored in a special TLV format, where parameters and their values are specified, including operating mode, data on C2 servers, proxy servers, protocols used (HTTP, TCP, etc.).
After activating the configuration, the virus begins to interact with C2 servers, sending and receiving encrypted messages. Depending on the settings, communication can take place both in simplex mode (one-way data transfer) and in duplex mode (two-way transmission).
Among the detected functions of the virus are uploading and downloading files, scanning ports, collecting information about the system, managing processes, as well as working with proxy servers. The malware allows you not only to control infected devices, but also to execute various commands on them.
The researchers noted that despite clear signs of a link to the Earth Lusca group, not all virus samples can be unambiguously linked to the group. The size of the infrastructure and the number of servers involved are atypical for such attacks. Perhaps this is part of testing new tools or distributing them to other hacker groups.
Source
