Attacks with the new KTLVdoor malware have been deployed by Chinese threat operation Earth Lusca to target Windows and Linux endpoints as part of a comprehensive campaign, Security Affairs reports.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities, according to a Trend Micro report. Aside from enabling file uploading and downloading, execution of KTLVdoor also allows interactive shell and shellcode execution, as well as TCP, TLS, ping, RDP, and web scans, said Trend Micro researchers. "Most of the samples discovered in this campaign are obfuscated: embedded strings are not directly readable, symbols are stripped and most of the functions and packages were renamed to random Base64-like looking strings, in an obvious effort from the developers to slow down the malware analysis," researchers said.