Researchers have uncovered a novel malware dubbed KTLVdoor, linked to the Chinese-speaking threat actor Earth Lusca. This multi-platform backdoor, written in Golang, targets both Windows and Linux systems and adds significantly to the group’s ever growing arsenal.
This malware masquerades as various system utilities, enabling attackers to carry out a range of malicious activities, including file manipulation, command execution, and remote port scanning.
KTLVdoor Malware Analysis and Features
The KTLVdoor’s configuration and communication involve the use of advanced encryption and obfuscation techniques to hinder malware analysis. Researchers from Trend Micro traced its operations back to over 50 China-based command and control (C&C) servers hosted under Alibaba.
While the researchers tied down the samples of the KTLVdoor malware to Earth Lusca with high confidence in their investigation, they were unable to determine if these servers were exclusive to the group’s operations or had also been shared with other cybercriminal groups.
The malware is distributed as a dynamic library impersonating common system tools such as sshd, java and bash and upon infection of systems, provides attackers with full control over the infected environment.
Once initialized, the agent starts a communication loop with the C&C server, sending and receiving messages that with GZIP-compression and AES-GCM-encryption. The malware’s complexity was judged to surpass other tools used by Earth Lusca with its advanced encryption and obfuscation techniques making analysis challenging for security researchers.
Each message contains a header with fields such as sender, receiver, token, route, task ID, task status, task type, and sub-task type. The malware has several distinct handlers for processing tasks received from the C&C server, including file download, upload, management, interactive shell, network scanning, and process management.
The malware’s configuration file is stored in a custom TLV-like format, and attack parameters as well as respective values are encoded in Base64 format with additional XOR-encryption.
Implications and Outlook
The emergence of the new KTLVdoor backdoor shows a rapid pace of development in Earth Lusca’s activities with increased sophistication and scale of its operational infrastructure.
The groups’s motivations are unclear as researchers detected only a single Chinese trading company as its victim despite the use of China-based infrastructure. However, they note a previous history of Chinese-speaking threat actors targeting domestic Chinese companies with groups such as Iron Tiger and Void Arachne deploying tools against native Chinese-language speakers.
These campaigns blur the line of cybercriminal operations and motives as national boundaries don’t always define the limit of operations. The researchers continue to monitor the group’s activity and expect additional deployment and insights.