“The threat actor Earth Lusca, linked to Chinese state-sponsored hacking groups, has been observed utilizing a new Linux backdoor dubbed SprySOCKS to target government organizations globally.

As initially reported in January 2022 by Trend Micro, Earth Lusca has been active since at least 2021 conducting cyber espionage campaigns against public and private sector targets in Asia, Australia, Europe, and North America. Their tactics include spear-phishing and watering hole attacks to gain initial access. Some of Earth Lusca's activities overlap with another Chinese threat cluster known as RedHotel.

In new research, Trend Micro reveals Earth Lusca remains highly active, even expanding operations in the first half of 2023. Primary victims are government departments focused on foreign affairs, technology, and telecommunications. Attacks concentrate in Southeast Asia, Central Asia, and the Balkans regions.

After breaching internet-facing systems by exploiting flaws in Fortinet, GitLab, Microsoft Exchange, Telerik UI, and Zimbra software, Earth Lusca uses web shells and Cobalt Strike to move laterally. Their goal is exfiltrating documents and credentials, while also installing additional backdoors like ShadowPad and Winnti for long-term spying.”

Source: https://www.linuxjournal.com/content/linux-threat-report-earth-lusca-deploys-novel-sprysocks-backdoor-attacks-government

“The SprySOCKS backdoor uses a high-performance networking framework called 'HP-Socket' for its operation, while its TCP communications with the C2 are AES-ECB encrypted.

The main backdoor functionalities of this novel malware include:

• Collecting system information collection (OS details, memory, IP address, group name, language, CPU),

• starting an interactive shell that uses the PTY subsystem,

• listing network connections,

• managing SOCKS proxy configurations,

• and performing basic file operations (uploading, downloading, listing, deleting, renaming, and creating directories.) “

Source: https://www.bleepingcomputer.com/news/security/new-sprysocks-linux-malware-used-in-cyber-espionage-attacks/

In this post we consider a simple way to find SprySOCKS on Linux computers.

First of all, run this command: ps -e | grep kworker.

Look for processes “kworker/0:22”.

SprySOCKS hides under such name. In the future hackers may change it.

                                                                Fig. 1

As we can see on the Fig. 1, SprySOCKS is hidden under the name “kworker/0:22” with PID=5539. We can remove this process from the processor’s memory by using the “kill 5539” command.

Secondly, search for a file named 'libmonitor.so.2 (it is SprySOCKS’s loader, a variant of the Linux ELF injector called "mandibule") on your computer and delete it. The current version of SprySOCKS’s loader uses this file name. In the future hackers may change it.