Cybersecurity researchers at Trend Micro recently discovered never-before-seen backdoor malware used to attack a Chinese trading company.
The malware is called KTLVdoor, and because it’s written as Golang, it can be used against both Windows and Linux endpoints. It’s designed to manipulate files, execute code, and more: “KTLVdoor is a highly obfuscated malware that masquerades as various system utilities, allowing attackers to perform various tasks including file manipulation, command execution, and remote port scanning,” Trend Micro researchers wrote in a security advisory published earlier this week.
The researchers also said the tool masquerades as sshd, Java, SQLite, bash, edr-agent and more.
Earth Lusca Golang Malware
It was built by a Chinese threat actor called Earth Lusca. The group apparently distributes the malware as a .DLL file or as a .SO (shared object). However, the researchers are still in the dark when it comes to distribution: “This new tool is used by Earth Lusca, but could also be shared with other Chinese-speaking threat actors,” the researchers wrote. “Given that all C&C servers were located on IP addresses of the China-based provider Alibaba, we wonder if the entire appearance of this new malware and the C&C server could not be an early stage of testing new tooling.”
Speaking of C2 servers, Trend Micro found over 50 of them, all hosted on Alibaba. This led to speculation that multiple groups could be sharing the same infrastructure.
Earth Lusca is an advanced cyber threat actor group believed to be linked to advanced persistent threats (APTs) with a focus on espionage and intelligence gathering. The group, whose first reported activity dates back to 2021, is known for targeting a wide range of sectors, including government agencies, healthcare, telecommunications, and education, primarily in Southeast Asia.
Via The Hacker News