The Chinese-speaking threat actor Earth Lusca is making headlines with a new backdoor called KTLVdoor, which was recently used in a cyber attack against a trading company in China.
This newly discovered malware, written in Golang, is a versatile tool that can target both Windows and Linux systems.
According to Trend Micro researchers Cedric Pernet and Jaromir Horejsi in their analysis published Wednesday, “KTLVdoor is a highly obfuscated malware that pretends to be various system utilities, allowing attackers to execute tasks like file manipulation, command execution, and remote port scanning.” The malware is distributed as a dynamic-link library (.dll) or a shared object (.so).
The most intriguing part of this cyber attack is the presence of over 50 command-and-control servers hosted at Alibaba in China, suggesting collaboration with other threat actors in the region. Earth Lusca has been active since 2021, targeting organizations across Asia, Australia, Europe, and North America.
KTLVdoor, the latest tool in Earth Lusca’s arsenal, derives its name from the “KTLV” marker in its configuration file that specifies crucial parameters, including C&C server details.
Once installed, the malware establishes communication with the C&C server and awaits commands to carry out actions like file transfers, system enumeration, launching shells, and conducting scans for vulnerabilities.
Despite its capabilities, not much is known about the distribution of KTLVdoor or its targets beyond the Chinese trading company.
“This new tool is employed by Earth Lusca, but it may also be shared with other Chinese-speaking threat actors,” the researchers highlighted. “Given that all C&C servers are hosted on Alibaba’s IP addresses, it raises questions about the testing phase of this new malware.”
If you found this article intriguing, stay updated with our latest content by following us on Twitter and LinkedIn.
