China State-linked Group Leveraging Linux Backdoor SprySOCKS for Government Targeting

According to Trend Micro, a new Linux-targeted backdoor named ‘SprySOCKS’ has been discovered while monitoring a China state-linked actor.

This backdoor has its origins in an open-source Windows backdoor known as Trochilus but has been adapted and re-implemented for Linux systems. It’s worth noting that SprySOCKS appears to still be in the development phase, as the researchers found multiple versions of it, each with distinct version numbers.

The architecture of SprySOCKS’s command-and-control (C2) protocol is noteworthy. It consists of two components: the loader and the encrypted main payload, responsible for reading, decrypting and running the main payload. Interestingly, this structure shares similarities with another backdoor known as RedLeaves, a remote access trojan (RAT) reported to be infecting Windows machines.

At the moment, SprySOCKS has only been observed in use by the Chinese-linked threat actor known as Earth Lusca, but researchers advised organizations to “proactively manage their attack surface, minimizing the potential entry points into their system and reducing the likelihood of a successful breach.”