Home > News > Earth Lusca Strikes! 😱 Beware the New Linux Backdoor 2023!

Earth Lusca Strikes! 😱 Beware the New Linux Backdoor 2023!


An In-Depth Analysis of SprySOCKS

In recent months, the threat landscape has witnessed a significant evolution, especially concerning Linux-based malware. The cybercrime group Earth Lusca, known for their sophisticated attacks, have now expanded their arsenal to target Linux systems more aggressively. This article aims to dissect Earth Lusca's latest addition: a new Linux backdoor dubbed SprySOCKS. With advanced features and high adaptability, SprySOCKS represents a notable step forward in the group’s capabilities.

Understanding the Communication Mechanics

One of the intriguing aspects of SprySOCKS is its peculiar way of communication. Unlike many other Remote Access Trojans (RATs), this backdoor employs unique static values in its communication packets. Originally, Trochilus RAT used the fixed value 0xAFAFBFBF. In contrast, the RedLeaves variant used 0xBFD9CBAE. SprySOCKS appears to be inspired by RedLeaves, as it uses a similar protocol for communication.

After the backdoor encrypts and decodes messages using AES-ECB, specific keywords such as “__handler,” “__msgid,” “__serial,” and “clientid” are revealed. Interestingly, these terms are not only similar to those used in Trochilus but also closely mimic the RedLeaves communication structure. More on AES-ECB

Command Palette

SprySOCKS isn't just a simple RAT; it comes loaded with a slew of functionalities. From fetching system data to listing network connections, it has a plethora of built-in commands. For instance, Message ID 0x09 is used to retrieve machine information, and Message ID 0x0a initiates an interactive shell. With this variety of commands, SprySOCKS offers Earth Lusca unparalleled control over compromised systems. The following table lists all known Message IDs and their functions:

Message IDDescriptionAdditional Parameters or Notes
0x09Collects machine information
0x0aStarts an interactive shell
0x0bWrites data to the interactive shell
0x0dStops the interactive shell
0x0eLists network connectionsParameters: “ip”, “port”, “commName”, “connectType”
0x0fSends packetParameter: “target”
0x14, 0x19Sends initialization packet
0x16Generates and sets client ID
0x17Lists network connectionsParameters: “tcp_port”, “udp_port”, “http_port”, “listen_type”, “listen_port”
0x23Creates SOCKS proxy
0x24Terminates SOCKS proxy
0x25Forwards SOCKS proxy data
0x2aUploads fileParameters: “transfer_id”, “size”
0x2bGets file transfer ID
0x2cDownloads fileParameters: “state”, “transferId”, “packageId”, “packageCount”, “file_size”
0x2dGets transfer statusParameters: “state”, “transferId”, “result”, “packageId”
0x3cEnumerates files in root directory
0x3dEnumerates files in directory
0x3eDeletes file
0x3fCreates directory
0x40Renames file
0x41No operation
0x42Related to file and directory operationsParameters: “srcPath”, “destPath”

Profiling the Client Information

SprySOCKS goes in-depth when profiling a system. It extracts various parameters using a CLIENT_INFO structure that resembles the one used in Trochilus RAT. This structure collects numerous types of data, such as CPU frequency (misrepresented as “cpufrep”), OS details, and even the system’s language settings. By doing so, it provides Earth Lusca with a rich set of data to customize subsequent attack stages. See the importance of client profiling in cyber-attacks

earth lusca employs new linux backdoor
Earth Lusca Employs New Linux Backdoor : Earth Lusca Strikes! 😱 Beware The New Linux Backdoor 2023!

The Making of an Interactive Shell

When SprySOCKS is commanded to create an interactive shell, it interacts with the pseudo-terminal subsystem at /dev/ptmx. Following that, it spawns a slave PTY under /dev/pts. This level of complexity, especially the use of specific environment variables, indicates a high level of sophistication, potentially inspired by the Linux version of Derusbi malware. Learn about Pseudo-terminals

The Unique Client ID Mechanism

The malware employs a two-part client ID generation process, encompassing the MAC address and processor features. The process is quite specific: the MAC address of the first non-loopback interface is taken, and the processor features are extracted using the CPUID instruction. This 14-byte client ID offers a unique footprint for each compromised system. Read more about CPUID instruction

Attribution and IOC

The initial payload was traced back to a delivery server with the IP, known to be operated by Earth Lusca. The server also hosted payloads for other malware strains like Cobalt Strike and the Linux version of Winnti. Interestingly, several other versions of SprySOCKS were found on VirusTotal, with varying C&C domains, all pointing back to Earth Lusca. VirusTotal and its role in malware tracking

Conclusion and Recommendations

Earth Lusca has indeed upped the ante by employing the new Linux backdoor, SprySOCKS, to infiltrate systems. This leap in sophistication demands that organizations rethink their security strategies, especially for their Linux servers. Regularly updating software, employing advanced security solutions like Trend Micro XDR, and reducing attack surfaces are imperative for effectively combating threats from groups like Earth Lusca.


What is Earth Lusca?

Earth Lusca is a cyber threat actor group known for its advanced hacking activities, including backdoor attacks on various operating systems.

What is the new Linux backdoor employed by Earth Lusca?

The new Linux backdoor employed by Earth Lusca is known as SprySOCKS. This malicious software allows unauthorized access to a Linux-based system.

How is SprySOCKS different from other RATs?

SprySOCKS shows similarities to previously known RATs like Trochilus and RedLeaves, but it also has unique attributes. It enables a series of backdoor commands, ranging from collecting system information to creating SOCKS proxies.

How is SprySOCKS delivered to targets?

We observed that SprySOCKS is usually delivered via a compromised server, often exploiting known vulnerabilities in public-facing servers.

What are the functionalities of the SprySOCKS backdoor?

SprySOCKS provides capabilities such as gathering machine information, starting an interactive shell, listing network connections, and other basic file operations.

How does SprySOCKS communicate with its Command and Control (C&C) server?

The malware uses encrypted packets to communicate with its C&C server. Certain fixed values in the packets indicate the malware's variant.

How can organizations protect themselves against attacks from Earth Lusca?

Organizations should proactively manage their attack surface by applying patches, updating software, and employing advanced security solutions like Trend Micro XDR.

How do I know if I've been compromised?

Indicators of compromise are usually detailed in security reports about the malware. It's crucial to keep an eye out for any unusual system or network behavior.

What role do security solutions like Trend Micro XDR play in safeguarding against these threats?

Security solutions like Trend Micro XDR offer comprehensive security detection and investigation capabilities across various channels like emails, endpoints, servers, cloud workloads, and networks.

Does Earth Lusca only target Linux systems?

While the focus of this article is on Earth Lusca's new Linux backdoor, the threat group has been known to target various other operating systems as well.

How did Earth Lusca come into the limelight?

The group gained notoriety for its aggressive tactics, often exploiting known vulnerabilities to compromise high-profile targets.

Is SprySOCKS linked to any other malware families?

It is believed that Earth Lusca may have drawn inspiration from or had access to the source code of other malware families like Derusbi.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.