New Golang malware capable of cross-platform backdoor attacks spotted in the wild

News
By
published

Earth Lusca is back at it, this time with a brand new malware variant to boot

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybersecurity researchers from Trend Micro have recently spotted a never-before-seen backdoor malware being used to target a Chinese trading company.

The malware is called KTLVdoor, and since it’s written Golang, it can be used against both Windows and Linux-powered endpoints. It is designed to tamper with files, run code, and more: "KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers said in a security advisory published earlier this week.

The researchers also said that the tool masquerades as sshd, Java, SQLite, bash, edr-agent, and more.

Earth Lusca Golang malware

It was built by a Chinese threat actor called Earth Lusca. Apparently, the group distributes the malware either as a .DLL file, or as a .SO (shared object). However, the researchers are still pretty much in the dark when it comes to distribution: "This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers said. "Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling."

Speaking of C2 servers, Trend Micro found more than 50 of them, all hosted on Alibaba. This led them to speculate that multiple groups could be sharing the same infrastructure.

Earth Lusca is a sophisticated cyber threat actor group, believed to be linked to advanced persistent threats (APTs) with a focus on espionage and intelligence gathering. The group, whose first reported activity dates back to 2021, is known for targeting a wide range of sectors, including government agencies, healthcare, telecommunications, and education, primarily in Southeast Asia.

Via The Hacker News

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.