KTLVdoor Backdoor

The Chinese-speaking threat group known as Earth Lusca has been detected deploying a new backdoor called KTLVdoor in a cyber attack against an undisclosed trading company in China. This newly uncovered malware, developed in Golang, is designed to be cross-platform, targeting both Microsoft Windows and Linux systems.

KTLVdoor features heavy obfuscation and disguises itself as various system utilities. This allows attackers to perform a range of malicious activities, including file manipulation, command execution and remote port scanning.

Impersonating Legitimate Tools

KTLVdoor masquerades as several tools, including sshd, Java, SQLite, bash, and edr-agent, among others. The malware is distributed as either a dynamic-link library (.dll) or a shared object (.so).

A notable aspect of this activity is the identification of over 50 Command-and-Control (C&C) servers, all hosted by the Chinese company Alibaba. These servers have been linked to various malware variants, suggesting the potential for shared infrastructure with other Chinese threat actors.

Threat Actors Have been Active for Several Years

The Earth Lusca has been active since at least 2021, carrying out cyber attacks targeting both public and private sector institutions across Asia, Australia, Europe and North America. The group is believed to have some tactical similarities with other intrusion sets known as RedHotel and APT27 (also referred to as Budworm, Emissary Panda and Iron Tiger).

The group's latest malware, KTLVdoor, is highly obfuscated. It derives its name from a marker labeled 'KTLV' found in its configuration file, which includes various parameters necessary for its operations, such as the Command-and-Control (C&C) servers it connects to.

A Lot of Unknowns Still Remain

Once activated, the malware repeatedly contacts the Command-and-Control (C&C) server, waiting for further instructions to execute on the compromised system. It supports various commands, including downloading and uploading files, enumerating the file system, launching an interactive shell, running shellcode, and conducting scans using tools like ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.

However, details on how the malware is distributed and whether it has been used against other targets worldwide remain unclear.

While Earth Lusca employs this new tool, there is a possibility it may also be used by other Chinese-speaking threat actors. The fact that all C&C servers were hosted on IP addresses from Alibaba, a Chinese provider, has led researchers to speculate that the malware and its C&C infrastructure could be part of an early testing phase for new tools.

Backdoor Threats Expose Victims to Severe Consequences

Backdoor malware poses serious dangers because it provides attackers with unauthorized, covert access to compromised systems, bypassing normal security measures. Some of the most significant threats associated with backdoor malware include:

• Persistent Control: Backdoors allow attackers to maintain long-term access to a system, often undetected. This persistent access enables attackers to continually monitor and manipulate the system over time, making it difficult to remove the threat.
• Data Theft: Attackers can harvest sensitive information such as financial data, intellectual property, login credentials and confidential communications. This harvested data can be sold, used for fraud, or lead to further attacks, including identity theft or espionage.
• Network Exploitation: Once inside, a backdoor malware can spread laterally across a network, infecting other devices and expanding the scope of the attack. This can lead to full network compromise, allowing attackers to control multiple systems simultaneously.
• Delivery of Other Malware: Backdoors can be used as a delivery mechanism for additional malware, such as ransomware, spyware, or keyloggers, which can cause further damage and disruption.
• System Manipulation and Sabotage: Attackers can execute commands on the infected system, altering configurations, deleting or corrupting files, disabling security tools, and disrupting critical services. In cases of industrial or governmental systems, this could lead to severe operational or infrastructure damage.
• Remote Monitoring and Control: Backdoor malware allows attackers to silently monitor activities, recording keystrokes, capturing screenshots, and logging user behavior. This level of surveillance can compromise security policies and allow the attacker to exploit vulnerabilities without detection.
• Escalation of Privileges: Attackers often use backdoors to escalate their privileges on a system, giving them full administrative control. This allows them to bypass security protocols, making it nearly impossible for legitimate users or security teams to regain control.
• Difficult Detection and Removal: Backdoor malware is often designed to be highly obfuscated and stealthy, making it difficult to detect with traditional antivirus or security tools. It may also disable or evade detection tools, allowing the threat to remain in the system undetected for long periods.

In summary, a backdoor malware is a serious threat because it grants attackers long-term, hidden access to systems, enabling them to steal data, spread malware, manipulate operations, and compromise entire networks, all while remaining difficult to detect and eradicate.