Search Tools Links Login

SprySOCKS: The New Linux Backdoor Linked to China

A previously undetected Linux backdoor, believed to be connected to the Chinese government, has been uncovered by researchers.

This new threat has its roots in the Trochilus Windows backdoor, first identified in 2015 by Arbor Networks (now Netscout). The stealthy nature of Trochilus, mainly running in memory without writing to disk, made it a formidable malware. NHS Digital researchers linked its development to APT10, also known as Stone Panda or MenuPass, an advanced threat group associated with China.

Over time, Trochilus became public, with its code accessible on GitHub for over six years. It was observed in campaigns alongside another malware named RedLeaves.

In a recent investigation, Trend Micro researchers identified an encrypted file,, on a server tied to a group they've been monitoring since 2021. They discovered an executable Linux file, "mkmon", which decrypts the aforementioned encrypted file. This Linux malware borrowed features from Trochilus, adding a new Socket Secure (SOCKS) function. The researchers named this discovery SprySOCKS, referencing its rapid capabilities and the integrated SOCKS component.

SprySOCKS offers typical backdoor functions like gathering system data, managing compromised systems remotely, monitoring network connections, and establishing a proxy using the SOCKS protocol to transfer files and data to a server controlled by the attacker.

Further analysis revealed different versions of SprySOCKS, indicating its ongoing development. Notably, it shares characteristics with RedLeaves, another malware rooted in Trochilus. Both Trochilus and RedLeaves contain code segments seen in SprySOCKS’s SOCKS feature, which originated from HP-Socket, a high-performance network framework from China.

Trend Micro attributes SprySOCKS to a group named Earth Lusca. Identified in 2021, this group targets global organizations, especially Asian governments. Their methods include leading victims to compromised websites to deploy malware. Earth Lusca's motivations appear to be espionage and financial gain, with a focus on gambling and cryptocurrency businesses.

The Earth Lusca server hosting SprySOCKS also delivered Cobalt Strike and Winnti payloads. Cobalt Strike is a dual-use hacking tool, aiding in vulnerability exploitation. Earth Lusca utilized it to widen its reach within target networks. Winnti refers to a long-used malware suite and various threat groups tied to China's intelligence operations, known for extensive hacking activities.

To aid organizations, Trend Micro's recent report offers IP addresses and file hashes to help ascertain potential compromises.

About this post

Posted: 2023-09-19
By: dwirch
Viewed: 140 times





No attachments for this post

Loading Comments ...


No comments have been added for this post.

You must be logged in to make a comment.