Chinese cyberespionage campaign involves novel Linux backdoor

BleepingComputer reports that various government agencies involved in telecommunications, technology, and foreign affairs around the world, particularly in Central Asia, Southeast Asia, and the Balkans, have been targeted by Chinese cyberespionage hacking operation Earth Lusca with attacks deploying the novel Linux backdoor SprySOCKS during the first six months of 2023. Various n-day unauthenticated remote code execution vulnerabilities from 2019 to 2022 have been leveraged by Earth Lusca to facilitate the distribution of Cobalt Strike beacons for remote network access and the delivery of the SprySOCKS loader, according to a Trend Micro report. Such a loader purports to be a Linux kernel worker thread to evade detection and proceeds with the decryption of SprySOCKS, which uses the HP-Socket networking framework and AES-ECB encrypted communications with its command-and-control center. Aside from gathering system data and commencing a PTY subsystem-using interactive shell, SprySOCKS also enables network connection listing, SOCKS proxy configuration management, and typical file operations, said researchers, who urged immediate remediation of vulnerabilities to avoid compromise.