"Earth Lusca," a China-linked cyber espionage actor that's been actively targeting government organizations in Asia, Latin America, and other regions since at least 2021 has begun using a Linux backdoor with features that appear inspired from multiple previously known malware tools.
The malware that researchers at
Trend Micro discovered and are tracking as "SprySOCKS," is firstly a Linux variant of "Trochilus," a Windows remote access Trojan (RAT) whose code got leaked and became publicly available in 2017.
Trochilus has
multiple functions, which include allowing threat actors to remotely install and uninstall files, log keystrokes, and do screen captures, file management, and registry editing. One core feature of the malware is its ability to enable lateral movement. According to Trend Micro, SprySOCKS' main execution routine and strings show that it originated from Trochilus and had several of its functions reimplemented for Linux systems.
