A known Chinese threat actor is wielding a new multiplatform backdoor that impersonates system utilities or tools and allows attackers to take full control over an organization’s environment. The malware, dubbed KTLVdoor, is connected to a vast back-end infrastructure that suggests further attacks by multiple actors are underway or imminent.
Researchers at Trend Micro discovered Chinese actor Earth Lusca using the backdoor in an attack on a China-based trading company, they revealed in a blog post published on Sept. 4. The malware, which is written in Golang and has both Microsoft Windows and Linux versions, is typically distributed as a dynamic link library.
While the researchers have seen it used in only one attack so far, they expect other attack campaigns will leverage KTLVdoor, given that there are more than 50 command-and-control (C2) servers, all hosted by Chinese ISP Alibaba, that communicate with variants of the novel malware.
“While some of those malware samples are tied to Earth Lusca with high confidence, we cannot be sure that the whole infrastructure is used solely by this threat actor,” Trend Micro threat researchers Cedric Pernet and Jaromir Horejs wrote in the post. “The infrastructure might be shared with other Chinese-speaking threat actors.”
The common denominator of IP addresses from Alibaba may be evidence that the malware could be in an early stage of testing and tooling by multiple actors. But there are still many details of the campaign that are unknown, the researchers noted.
Key Aspects of the Malware
KTLVdoor is more complex than tools typically used by Earth Lusca (aka RedHotel or TAG-22), a China-backed cyber-espionage actor active since at least 2019, according to Trend Micro. Earth Lusca typically targets government organizations in Asia, Latin America, and other regions, and is thought to be part of the Winnti collective of Chinese threat actors. The group’s chief aim is usually cyber espionage, though it also has targeted cryptocurrency and gambling firms for financial gain on occasion.
Trend Micro discovered various samples of the backdoor work hard to cover their tracks; indeed, their configuration and communication involve sophisticated encryption and obfuscation techniques to make it difficult for the malware to be analyzed, the researchers said.
“Embedded strings are not directly readable, symbols are stripped, and most of the functions and packages were renamed to random Base64-like looking strings, in an obvious effort from the developers to slow down the malware analysis,” they wrote in the post.
In a targeted environment, KTLVdoor masquerades as different system utilities or similar tools — such as such as sshd, java, sqlite, bash, edr-agent, and more — and allows attackers to carry out a variety of tasks to fully control the environment. These include the ability to run commands, manipulate files, provide system and network information, use proxies, download/upload files, and scan remote ports, among other capabilities.
The malware communicates with its various C2 servers in a loop by sending and receiving both compressed and encrypted messages. Based on the configuration settings, the message delivery can either be in simplex mode — in which one device can only send and another device can only receive — or in duplex mode, in which both devices can simultaneously send and receive messages, the researchers noted.
Detecting and Defending
Due to the care that the malware creators took to evade analysis and detection, organizations that may be targeted by Earth Lusca or other Chinese APTs should be on alert for any indication of compromise by an as-yet-unidentified malware, the researchers advised.
They included in the post a comprehensive list of indicators of compromise (IOCs) for both Earth Lusca and KTLVdoor, including IP addresses and hashes connected to the campaign, as well as a DLL decryptor for the threat actor.
Organizations also can protect themselves from sophisticated APT attacks through security platforms that use a multilayered approach and proactive detection to block malicious tools and services before they can infiltrate an environment, the researchers noted.