An In-Depth Analysis of SprySOCKS
In recent months, the threat landscape has witnessed a significant evolution, especially concerning Linux-based malware. The cybercrime group Earth Lusca, known for their sophisticated attacks, have now expanded their arsenal to target Linux systems more aggressively. This article aims to dissect Earth Lusca's latest addition: a new Linux backdoor dubbed SprySOCKS. With advanced features and high adaptability, SprySOCKS represents a notable step forward in the groupβs capabilities.
Understanding the Communication Mechanics
One of the intriguing aspects of SprySOCKS is its peculiar way of communication. Unlike many other Remote Access Trojans (RATs), this backdoor employs unique static values in its communication packets. Originally, Trochilus RAT used the fixed value 0xAFAFBFBF. In contrast, the RedLeaves variant used 0xBFD9CBAE. SprySOCKS appears to be inspired by RedLeaves, as it uses a similar protocol for communication.
After the backdoor encrypts and decodes messages using AES-ECB, specific keywords such as “__handler,” “__msgid,” “__serial,” and “clientid” are revealed. Interestingly, these terms are not only similar to those used in Trochilus but also closely mimic the RedLeaves communication structure. More on AES-ECB
Command Palette
SprySOCKS isn't just a simple RAT; it comes loaded with a slew of functionalities. From fetching system data to listing network connections, it has a plethora of built-in commands. For instance, Message ID 0x09 is used to retrieve machine information, and Message ID 0x0a initiates an interactive shell. With this variety of commands, SprySOCKS offers Earth Lusca unparalleled control over compromised systems. The following table lists all known Message IDs and their functions:
| Message ID | Description | Additional Parameters or Notes |
|---|---|---|
| 0x09 | Collects machine information | |
| 0x0a | Starts an interactive shell | |
| 0x0b | Writes data to the interactive shell | |
| 0x0d | Stops the interactive shell | |
| 0x0e | Lists network connections | Parameters: “ip”, “port”, “commName”, “connectType” |
| 0x0f | Sends packet | Parameter: “target” |
| 0x14, 0x19 | Sends initialization packet | |
| 0x16 | Generates and sets client ID | |
| 0x17 | Lists network connections | Parameters: “tcp_port”, “udp_port”, “http_port”, “listen_type”, “listen_port” |
| 0x23 | Creates SOCKS proxy | |
| 0x24 | Terminates SOCKS proxy | |
| 0x25 | Forwards SOCKS proxy data | |
| 0x2a | Uploads file | Parameters: “transfer_id”, “size” |
| 0x2b | Gets file transfer ID | |
| 0x2c | Downloads file | Parameters: “state”, “transferId”, “packageId”, “packageCount”, “file_size” |
| 0x2d | Gets transfer status | Parameters: “state”, “transferId”, “result”, “packageId” |
| 0x3c | Enumerates files in root directory | |
| 0x3d | Enumerates files in directory | |
| 0x3e | Deletes file | |
| 0x3f | Creates directory | |
| 0x40 | Renames file | |
| 0x41 | No operation | |
| 0x42 | Related to file and directory operations | Parameters: “srcPath”, “destPath” |
Profiling the Client Information
SprySOCKS goes in-depth when profiling a system. It extracts various parameters using a CLIENT_INFO structure that resembles the one used in Trochilus RAT. This structure collects numerous types of data, such as CPU frequency (misrepresented as “cpufrep”), OS details, and even the systemβs language settings. By doing so, it provides Earth Lusca with a rich set of data to customize subsequent attack stages. See the importance of client profiling in cyber-attacks
The Making of an Interactive Shell
When SprySOCKS is commanded to create an interactive shell, it interacts with the pseudo-terminal subsystem at /dev/ptmx. Following that, it spawns a slave PTY under /dev/pts. This level of complexity, especially the use of specific environment variables, indicates a high level of sophistication, potentially inspired by the Linux version of Derusbi malware. Learn about Pseudo-terminals
The Unique Client ID Mechanism
The malware employs a two-part client ID generation process, encompassing the MAC address and processor features. The process is quite specific: the MAC address of the first non-loopback interface is taken, and the processor features are extracted using the CPUID instruction. This 14-byte client ID offers a unique footprint for each compromised system. Read more about CPUID instruction
Attribution and IOC
The initial payload was traced back to a delivery server with the IP 207.148.75.122, known to be operated by Earth Lusca. The server also hosted payloads for other malware strains like Cobalt Strike and the Linux version of Winnti. Interestingly, several other versions of SprySOCKS were found on VirusTotal, with varying C&C domains, all pointing back to Earth Lusca. VirusTotal and its role in malware tracking
Conclusion and Recommendations
Earth Lusca has indeed upped the ante by employing the new Linux backdoor, SprySOCKS, to infiltrate systems. This leap in sophistication demands that organizations rethink their security strategies, especially for their Linux servers. Regularly updating software, employing advanced security solutions like Trend Micro XDR, and reducing attack surfaces are imperative for effectively combating threats from groups like Earth Lusca.
FAQ
What is Earth Lusca?
Earth Lusca is a cyber threat actor group known for its advanced hacking activities, including backdoor attacks on various operating systems.
What is the new Linux backdoor employed by Earth Lusca?
The new Linux backdoor employed by Earth Lusca is known as SprySOCKS. This malicious software allows unauthorized access to a Linux-based system.
How is SprySOCKS different from other RATs?
SprySOCKS shows similarities to previously known RATs like Trochilus and RedLeaves, but it also has unique attributes. It enables a series of backdoor commands, ranging from collecting system information to creating SOCKS proxies.
How is SprySOCKS delivered to targets?
We observed that SprySOCKS is usually delivered via a compromised server, often exploiting known vulnerabilities in public-facing servers.
What are the functionalities of the SprySOCKS backdoor?
SprySOCKS provides capabilities such as gathering machine information, starting an interactive shell, listing network connections, and other basic file operations.
How does SprySOCKS communicate with its Command and Control (C&C) server?
The malware uses encrypted packets to communicate with its C&C server. Certain fixed values in the packets indicate the malware's variant.
How can organizations protect themselves against attacks from Earth Lusca?
Organizations should proactively manage their attack surface by applying patches, updating software, and employing advanced security solutions like Trend Micro XDR.
How do I know if I've been compromised?
Indicators of compromise are usually detailed in security reports about the malware. It's crucial to keep an eye out for any unusual system or network behavior.
What role do security solutions like Trend Micro XDR play in safeguarding against these threats?
Security solutions like Trend Micro XDR offer comprehensive security detection and investigation capabilities across various channels like emails, endpoints, servers, cloud workloads, and networks.
Does Earth Lusca only target Linux systems?
While the focus of this article is on Earth Lusca's new Linux backdoor, the threat group has been known to target various other operating systems as well.
How did Earth Lusca come into the limelight?
The group gained notoriety for its aggressive tactics, often exploiting known vulnerabilities to compromise high-profile targets.
Is SprySOCKS linked to any other malware families?
It is believed that Earth Lusca may have drawn inspiration from or had access to the source code of other malware families like Derusbi.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc.Β Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE.Β Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin workedΒ a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.
Leave a Reply