New KTLVdoor Backdoor Discovered in Multiplatform Intrusion Campaign Linked to Earth Lusca

by do son · September 4, 2024

Cybersecurity researchers from Trend Micro have uncovered a new and highly sophisticated multiplatform backdoor dubbed KTLVdoor, linked to the notorious Chinese-speaking threat actor Earth Lusca. The backdoor, written in the Go programming language, targets both Microsoft Windows and Linux systems and has been actively used in real-world attacks. This discovery marks a significant evolution in Earth Lusca’s toolkit, showcasing a more advanced level of obfuscation and functionality than previously seen.

The KTLVdoor backdoor is designed for stealth and persistence, with advanced features that allow attackers to fully control compromised systems. According to Trend Micro’s report, the malware can execute system commands, manipulate files, retrieve system and network information, scan remote ports, and utilize proxies. The malware, often disguised under familiar system utility names like sshd, java, and bash, is typically delivered as a dynamic library (DLL or SO), making detection challenging.

One of the most concerning aspects of this campaign is its scale. Trend Micro’s investigation revealed over 50 command-and-control (C&C) servers, all hosted by China-based Alibaba. While many samples of the malware can be confidently attributed to Earth Lusca, the researchers suggest that the infrastructure may be shared with other Chinese-speaking threat actors.

The complexity of KTLVdoor is evident in its code structure and obfuscation techniques. The malware uses custom encryption methods to conceal its configuration settings and communication protocols. For instance, the configuration is XOR-encrypted and Base64-encoded, with the malware utilizing a custom TLV-like (type-length-value) format. The “KTLV” marker found in the malware’s configuration is what gives the backdoor its name.

Once the malware is initialized, it establishes a communication loop with its C&C server using AES-GCM encryption, ensuring that data exchanged between the infected machine and the server remains secure from prying eyes. The malware supports both simplex (one-way) and duplex (two-way) communication modes, allowing it to send and receive commands in real-time.

Earth Lusca has been on cybersecurity radars for its involvement in a wide range of cyber espionage campaigns. Known for targeting political entities, government organizations, and technology firms, the group’s use of KTLVdoor represents a new chapter in its operations. What sets this campaign apart is not only the sophistication of the malware but also the possibility that Earth Lusca is testing new tools that may later be shared across the broader Chinese-speaking cybercriminal ecosystem.

Interestingly, the malware was also found targeting a trading company based in China. This suggests that, like other Chinese threat groups such as Iron Tiger and Void Arachne, Earth Lusca does not limit its operations to foreign targets but also engages in domestic espionage.