Chinese hackers have developed an unprecedented method for covert attacks on Linux systems

Experts from the Japanese company Trend Micro, which specializes in cybersecurity issues, have discovered the SprySOCKS malware, which is used to attack computers with Linux systems.

Image source: Tumisu / pixabay.com

The new malware comes from the Trochilus Windows backdoor discovered by researchers at Arbor Networks in 2015 – it starts and runs only in memory and its payload is not stored on disks, making detection much more difficult. In June of this year, Trend Micro researchers discovered a file on a server called “libmonitor.so.2” that was used by a group whose activities they had been tracking since 2021. In the VirusTotal database, they found an associated executable file “mkmon” that helped decrypt “libmonitor.so.2” and reveal its payload.

It turned out to be a complex malware for Linux, whose functionality partially corresponds to the capabilities of Trochilus and has an original implementation of the Socket Secure (SOCKS) protocol, which is why the malware was named SprySOCKS. It allows you to collect information about the system, launch the command interface (shell) for remote control, create a list of network connections, provide a proxy server based on the SOCKS protocol to transfer data between the compromised system and the attacker’s command server exchange also perform other operations. The indication of the versions of the malware suggests that it is still under development.

Researchers suspect that SprySOCKS is used by hackers from the Earth-Lusca group – it was first discovered in 2021 and appeared on the cybercriminals list a year later. The group uses social engineering methods to infect systems. SprySOCKS installs the Cobalt Strike and Winnti packages as payloads. The first is a kit for finding and exploiting vulnerabilities. the second, which is more than ten years old, contacts the Chinese authorities. There is a version that the Earth-Lusca group, which works mainly for Asian purposes, aims to steal funds, since its victims are often companies involved in gambling and cryptocurrencies.