Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
Essential information
- Published
- 04/09/2024 09:22
- Modified
- 04/09/2024 09:55
- Tags
- 2024-09-04 golang ktlvdoor
- Related entities
- 180 observables, 1 intrusion sets (apt), 19 techniques (mitre), 1 malware, 2 others
Description
A new multiplatform backdoor named KTLVdoor, written in Golang with versions for Windows and Linux, has been discovered during monitoring of the Chinese-speaking threat actor Earth Lusca. This highly obfuscated malware impersonates system utilities and allows attackers to control infected systems, manipulate files, and gather information. The campaign involves over 50 C&C servers hosted in China, potentially shared with other threat actors. KTLVdoor uses sophisticated encryption and obfuscation techniques, including a custom TLV-like configuration format and AES-GCM encryption for C&C communication. The malware's capabilities include file operations, command execution, port scanning, and proxy functionality.
External references
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion--/Indicators%20of%20Compromise%20-%20Earth%20Lusca%20Uses%20KTLVdoor%20Backdoor%20for%20Multiplatform%20Intrusion.txt
- https://otx.alienvault.com/pulse/66d826f2f61254f51a48bbe7