A Chinese-speaking threat actor, known as Earth Lusca, has been linked to a recent cyber attack involving a new backdoor called KTLVdoor, targeting an unnamed trading company based in China. This previously undiscovered malware is written in Golang, making it a cross-platform tool capable of targeting both Microsoft Windows and Linux systems.
According to Trend Micro researchers Cedric Pernet and Jaromir Horejsi, KTLVdoor is highly obfuscated and disguises itself as various system utilities such as sshd, Java, SQLite, bash, and edr-agent. The malware is distributed in the form of either a dynamic-link library (.dll) or a shared object (.so) file, depending on the targeted system.
What makes this campaign even more unusual is the use of over 50 command-and-control (C&C) servers, all hosted by Alibaba, a Chinese cloud services provider. The connection to Alibaba's infrastructure suggests the possibility that the tool may be shared across other Chinese-speaking threat actors.
Earth Lusca, active since at least 2021, has conducted cyber attacks targeting entities across Asia, Australia, Europe, and North America, and shares tactical overlaps with RedHotel and APT27 (also known as Budworm, Emissary Panda, and Iron Tiger). With KTLVdoor as the latest addition to its arsenal, the group continues to enhance its operational capabilities.
The malware gets its name from the "KTLV" marker found in its configuration file. This marker contains several critical parameters necessary for its operation, including information on the C&C servers it needs to communicate with. Once initiated, KTLVdoor contacts the C&C server repeatedly, awaiting instructions from the attacker.
The backdoor supports a variety of malicious operations, including:
- Downloading and uploading files
- Enumerating the file system
- Launching an interactive shell
- Running shellcode
- Performing network scanning using tools like ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb.
Despite these findings, little is known about how KTLVdoor is being distributed, and whether it has been used in attacks outside of this initial case. Researchers also speculate that this campaign could be an early-stage test of new tools, given the exclusive use of Alibaba's infrastructure for C&C operations.
"This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers said. They also suggested that the entire infrastructure could be in its early stages of development and testing.
As the cyber threat landscape evolves, this new malware represents yet another sophisticated toolset emerging from China-based cyber espionage groups.