216.73.217.172

Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion

· Published 04/09/2024 09:22 · Modified 04/09/2024 09:55

Export JSON

Essential information

Published
04/09/2024 09:22
Modified
04/09/2024 09:55
Tags
2024-09-04 golang ktlvdoor
Related entities
180 observables, 1 intrusion sets (apt), 19 techniques (mitre), 1 malware, 2 others

Description

A new multiplatform backdoor named , written in with versions for Windows and Linux, has been discovered during monitoring of the Chinese-speaking threat actor Earth Lusca. This highly obfuscated malware impersonates system utilities and allows attackers to control infected systems, manipulate files, and gather information. The campaign involves over 50 C&C servers hosted in China, potentially shared with other threat actors. uses sophisticated encryption and obfuscation techniques, including a custom TLV-like configuration format and AES-GCM encryption for C&C communication. The malware's capabilities include file operations, command execution, port scanning, and proxy functionality.

External references