Earth Lusca Using Multiplatform Backdoor to Attack Windows & Linux Machines

Earth Lusca is a suspected China-based cyber espionage group active since at least April 2019.

Besides this, hackers often target Windows and Linux machines primarily due to their widespread use and potential for financial gain.

Trend Micro security experts recently uncovered a sophisticated new Golang-based backdoor named “KTLVdoor,” deployed by the Chinese threat actor Earth Lusca. 

This highly obfuscated, multiplatform malware family infects Windows and Linux systems, often disguising itself as standard system utilities to evade detection. 

Earth Lusca Using Multiplatform Backdoor

KTLVdoor provides threat actors with extensive remote control capabilities, such as executing commands, file manipulation, information gathering, proxy usage, and port scanning. 

The operation is large in scale, with over 50 command-and-control servers hosted on Alibaba’s infrastructure in China, communicating with several malware variants. 

Though it’s primarily tied to Earth Lusca, the shared infrastructure also suggests the potential involvement of other Chinese threat groups.

This campaign’s samples are heavily obfuscated, reinserting random base64-like encoded strings and function names in embedded strings.

The agent’s settings are hidden and contain XOR-encoded agent configuration parameters. Base64 features a proprietary form resembling a TLV-like format.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Trend Micro said that the configuration is implemented by restoring the internal structure corresponding to the machine and keeping the addresses of C&C servers encrypted in AES-GCM-encrypted values.

After the start-up, the agent communicates with the C&C server through GZIP-compressed and AES-GCM-encrypted messages.

Besides this, the PortScan implements the following scanning methods:-

  • ScanTCP
  • ScanRDP
  • ScanWinRM
  • ScanSmb2
  • RdpWithNTLM
  • DialTLS
  • DialTCP
  • ScanPing
  • ScanPing
  • ScanMssql
  • ScanBanner
  • ScanWeb

Communication can be unidirectional or bidirectional, consisting of a header and message data.

The agent has been assigned task-processing handlers for the threat actor Earth Lusca; however, the campaign details are unknown.

The atypical infrastructure with all C&C servers on Alibaba’s IP addresses suggests that this is the current environment of Earth Lusca or some other Chinese-speaking threat actors arming themselves and playing around with the new tools that have yet to be released.

Cybersecurity researchers urged that it remains important to ensure the ongoing monitoring of this activity.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

58 mins ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

13 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

18 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago