Submission + - Chinese Hackers Have Unleashed a Never-Before-Seen Linux Backdoor (arstechnica.com)
An anonymous reader writes: Researchers have discovered a never-before-seen backdoor for Linux that’s being used by a threat actor linked to the Chinese government. The new backdoor originates from a Windows backdoor named Trochilus, which was first seen in 2015 by researchers from Arbor Networks, now known as Netscout. They said that Trochilus executed and ran only in memory, and the final payload never appeared on disks in most cases. That made the malware difficult to detect. Researchers from NHS Digital in the UK have said Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.
Other groups eventually used it, and its source code has been available on GitHub for more than six years. Trochilus has been seen being used in campaigns that used a separate piece of malware known as RedLeaves. In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021. By searching VirusTotal for the file name, libmonitor.so.2, the researchers located an executable Linux file named “mkmon.” This executable contained credentials that could be used to decrypt the libmonitor.so.2 file and recover its original payload, leading the researchers to conclude that “mkmon” is an installation file that delivered and decrypted libmonitor.so.2.
The Linux malware ported several functions found in Trochilus and combined them with a new Socket Secure (SOCKS) implementation. The Trend Micro researchers eventually named their discovery SprySOCKS, with “spry” denoting its swift behavior and the added SOCKS component. SprySOCKS implements the usual backdoor capabilities, including collecting system information, opening an interactive remote shell for controlling compromised systems, listing network connections, and creating a proxy based on the SOCKS protocol for uploading files and other data between the compromised system and the attacker-controlled command server.
After decrypting the binary and finding SprySOCKS, the researchers used the information they found to search VirusTotal for related files. Their search turned up a version of the malware with the release number 1.1. The version Trend Micro found was 1.3.6. The multiple versions suggest that the backdoor is currently under development. The command-and-control server that SprySOCKS connects to has major similarities to a server that was used in a campaign with a different piece of Windows malware known as RedLeaves. Like SprySOCKS, RedLeaves was also based on Trochilus. Strings that appear in both Trochilus and RedLeaves also appear in the SOCKS component that was added to SprySOCKS. The SOCKS code was borrowed from the HP-Socket, a high-performance network framework with Chinese origins.
Other groups eventually used it, and its source code has been available on GitHub for more than six years. Trochilus has been seen being used in campaigns that used a separate piece of malware known as RedLeaves. In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021. By searching VirusTotal for the file name, libmonitor.so.2, the researchers located an executable Linux file named “mkmon.” This executable contained credentials that could be used to decrypt the libmonitor.so.2 file and recover its original payload, leading the researchers to conclude that “mkmon” is an installation file that delivered and decrypted libmonitor.so.2.
The Linux malware ported several functions found in Trochilus and combined them with a new Socket Secure (SOCKS) implementation. The Trend Micro researchers eventually named their discovery SprySOCKS, with “spry” denoting its swift behavior and the added SOCKS component. SprySOCKS implements the usual backdoor capabilities, including collecting system information, opening an interactive remote shell for controlling compromised systems, listing network connections, and creating a proxy based on the SOCKS protocol for uploading files and other data between the compromised system and the attacker-controlled command server.
After decrypting the binary and finding SprySOCKS, the researchers used the information they found to search VirusTotal for related files. Their search turned up a version of the malware with the release number 1.1. The version Trend Micro found was 1.3.6. The multiple versions suggest that the backdoor is currently under development. The command-and-control server that SprySOCKS connects to has major similarities to a server that was used in a campaign with a different piece of Windows malware known as RedLeaves. Like SprySOCKS, RedLeaves was also based on Trochilus. Strings that appear in both Trochilus and RedLeaves also appear in the SOCKS component that was added to SprySOCKS. The SOCKS code was borrowed from the HP-Socket, a high-performance network framework with Chinese origins.
Chinese Hackers Have Unleashed a Never-Before-Seen Linux Backdoor More Login
Chinese Hackers Have Unleashed a Never-Before-Seen Linux Backdoor
Slashdot Top Deals