September 5, 2024 at 02:15AM
Earth Lusca, a Chinese-speaking threat actor, has been observed deploying a new backdoor named KTLVdoor in a cyber attack targeting an unnamed trading company in China. The malware is written in Golang and masquerades as system utilities, with over 50 command-and-control servers identified. Its use by other Chinese threat actors is also suggested.
From the meeting notes, it appears that a Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor called KTLVdoor as part of a cyber attack targeting an unidentified trading company in China. The malware is written in Golang, making it a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.
KTLVdoor is described as highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out tasks such as file manipulation, command execution, and remote port scanning. The malware is distributed in the form of dynamic-link library (.dll) or a shared object (.so). It’s noteworthy that the activity cluster includes more than 50 command-and-control (C&C) servers hosted at the Chinese company Alibaba, potentially indicating collaboration with other Chinese threat actors.
Earth Lusca has been active since at least 2021, carrying out cyber attacks against public and private sector entities across Asia, Australia, Europe, and North America. The group has similarities to other intrusion sets tracked as RedHotel and APT27.
KTLVdoor, the latest addition to the group’s malware arsenal, is designed to communicate with C&C servers, allowing for the execution of various instructions on the compromised host. However, there is limited information about the malware’s distribution and whether it has been used to target other entities worldwide.
The researchers speculate that although the new tool is used by Earth Lusca, it may also be shared with other Chinese-speaking threat actors. Additionally, they question whether the appearance of this new malware and the C&C servers could be an early stage of testing new tools.
The article provides insights into the emergence of this new malware and the potential implications for cybersecurity.
Is there anything specific you would like to discuss further about these meeting notes?