Trend Micro researchers have identified a new cross-platform backdoor malware called KTLVdoor, linked to the Chinese threat actor group Earth Lusca [6] [8].
Description
This sophisticated malware, written in Golang [1] [2] [5] [6] [8] [9] [10], targets Microsoft Windows and Linux systems [5] [6]. It is highly obfuscated to resemble legitimate system utilities like sshd, Java [8] [10], SQLite [8], and bash [1] [3] [7] [8] [10]. KTLVdoor allows attackers to conduct malicious activities such as file manipulation, command execution [2] [6] [8] [9], and remote port scanning [2] [6] [8] [9] [10]. Its communication and configuration are protected by advanced encryption and obfuscation techniques, making detection challenging. Over 50 command-and-control servers associated with KTLVdoor have been found, all hosted by the Chinese ISP Alibaba. Earth Lusca [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], a prominent cyber threat actor group in Southeast Asia, distributes the malware in the form of .DLL or .SO files. The attack campaign gives attackers full control over the environment, enabling them to run commands, manipulate files [1] [2] [5], and scan remote ports [1] [2] [5]. A trading company in China has been specifically targeted, with most discovered malware samples obfuscated to hinder analysis. Organizations vulnerable to Chinese APT attacks are advised to stay alert for signs of compromise and implement strong security measures. Trend Micro has released indicators of compromise (IOCs) for Earth Lusca and KTLVdoor to assist in detection and defense against these threats [7].
Conclusion
The discovery of KTLVdoor poses significant risks to organizations, highlighting the importance of robust security measures. Mitigating the threat of Earth Lusca and KTLVdoor requires vigilance and proactive defense strategies. Future implications may include increased sophistication of malware attacks and the need for enhanced cybersecurity measures to combat evolving threats.
References
[1] https://duo.com/decipher/new-backdoor-linked-to-chinese-threat-group
[2] https://www.trendmicro.com/dede/research/24/i/earth-lusca-ktlvdoor.html
[3] https://sechub.in/view/2937175
[4] https://gbhackers.com/earth-lusca-using-multiplatform-backdoor/
[5] https://www.trendmicro.com/eses/research/24/i/earth-lusca-ktlvdoor.html
[6] https://cybermaterial.com/ktlvdoor-malware-hits-chinese-trading-firm/
[7] https://www.darkreading.com/threat-intelligence/chinas-earth-lusca-propagates-multiplatform-backdoor
[8] https://www.techradar.com/pro/new-golang-malware-capable-of-cross-platform-backdoor-attacks-spotted-in-the-wild
[9] https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html
[10] https://thehackernews.com/2024/09/new-cross-platform-malware-ktlvdoor.html
