Cybersecurity researchers from Trend Micro have recently spotted a never-before-seen backdoor malware being used to target a Chinese trading company.
The malware is called KTLVdoor, and since it’s written Golang, it can be used against both Windows and Linux-powered endpoints. It is designed to tamper with files, run code, and more: “KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning,” Trend Micro researchers said in a security advisory published earlier this week.
The researchers also said that the tool masquerades as sshd, Java, SQLite, bash, edr-agent, and more.
Earth Lusca Golang malware
It was built by a Chinese threat actor called Earth Lusca. Apparently, the group distributes the malware either as a .DLL file, or as a .SO (shared object). However, the researchers are still pretty much in the dark when it comes to distribution: “This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors,” the researchers said. “Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling.”
Speaking of C2 servers, Trend Micro found more than 50 of them, all hosted on Alibaba. This led them to speculate that multiple groups could be sharing the same infrastructure.
Earth Lusca is a sophisticated cyber threat actor group, believed to be linked to advanced persistent threats (APTs) with a focus on espionage and intelligence gathering. The group, whose first reported activity dates back to 2021, is known for targeting a wide range of sectors, including government agencies, healthcare, telecommunications, and education, primarily in Southeast Asia.
Via The Hacker News
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/tfTPM2h23pWZ3334EbhVKT-1200-80.jpg
Source link
