The enigmatic cyber operative known as Earth Lusca has recently been detected deploying a novel backdoor, identified as KTLVdoor, in a cyber offensive aimed at a confidential trading corporation in China.
This newly unveiled malware, crafted in Golang, boasts cross-platform capabilities, thus enabling it to compromise both Microsoft Windows and Linux environments.
“KTLVdoor represents a sophisticated strain of malware, meticulously obfuscated to impersonate a variety of system utilities. This subterfuge empowers attackers to execute diverse functions, including file manipulation, command execution, and remote port scanning,” elaborated Trend Micro analysts Cedric Pernet and Jaromir Horejsi in a report released on Wednesday.
Among the system tools that KTLVdoor mimics are sshd, Java, SQLite, bash, and edr-agent, with the malware disseminated in the form of dynamic-link library (.dll) files or shared object (.so) modules.
Notably peculiar is the discovery of over 50 command-and-control (C&C) servers, all located on Alibaba’s infrastructure in China. These servers have been linked to variants of the malware, suggesting the potential for these resources to be utilized by other Chinese cyber operatives.
Earth Lusca has been active since at least 2021, orchestrating cyber incursions targeting both public and private entities across Asia, Australia, Europe, and North America. The group is assessed to exhibit tactical similarities with other threat actors such as RedHotel and APT27 (also known as Budworm, Emissary Panda, and Iron Tiger).
The latest addition to Earth Lusca’s malware toolkit, KTLVdoor, is distinguished by its intricate obfuscation and derives its name from the “KTLV” marker embedded in its configuration file, which details various operational parameters, including connections to C&C servers.
Upon activation, the malware establishes a continuous connection with the C&C server, awaiting further directives to be executed on the infiltrated host. Its command suite facilitates file transfers, file system enumeration, interactive shell initiation, shellcode execution, and various scanning operations including ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb.
Despite these revelations, there remains limited knowledge regarding the distribution methods of this malware or its potential targeting of other global entities.
“This new instrument of Earth Lusca might also be disseminated among other Chinese-speaking threat groups,” the researchers observed. “Given that all C&C servers are hosted on Alibaba’s Chinese IP addresses, we speculate whether this new malware and its C&C infrastructure might signify an early-phase test of novel tools.”