Trend Micro cybersecurity researchers have recently detected a never-before-seen backdoor malware being used to attack a Chinese trading company.
The malware is called KTLVdoor, and since it's written in Golang, it can be used against endpoints running Windows and Linux operating systems. It's designed to manipulate files, execute code, and more: “KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to perform a variety of tasks, including file manipulation, command execution, and remote port scanning,” Trend Micro researchers said in a security advisory published earlier this week.
The researchers also said the tool impersonates sshd, Java, SQLite, bash, edr-agent and more.
Earth Lusca Golang malware
The malware was created by a Chinese threat actor named Earth Lusca. The group apparently distributes the malware as a .DLL file or as a .SO (shared object). However, researchers are still largely unaware of its distribution: “This new tool is used by Earth Lusca, but it could also be shared with other Chinese-speaking threat actors,” the researchers said. “Seeing that all C&C servers were on IP addresses of the Chinese vendor Alibaba, we wondered if the appearance of this new malware and the C&C server could not be an early stage of testing new tools.”
Speaking of C2 servers, Trend Micro found more than 50, all hosted at Alibaba. This led them to speculate that multiple groups could be sharing the same infrastructure.
Earth Lusca is a sophisticated group of cyber threat actors, believed to be linked to advanced persistent threats (APTs) focused on espionage and intelligence gathering. The group, whose first reported activity dates back to 2021, is known for targeting a wide range of sectors, including government agencies, healthcare, telecommunications, and education, primarily in Southeast Asia.
Through Hacker News