www.trendmicro.com Open in urlscan Pro
23.206.209.41  Public Scan

URL: https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html
Submission: On September 05 via api from TR — Scanned from DE

Form analysis 1 forms found in the DOM

<form class="main-menu-search" aria-label="Search Trend Micro">
  <div class="main-menu-search__field-wrapper" id="cludo-search-form">
    <table class="gsc-search-box">
      <tbody>
        <tr>
          <td class="gsc-input">
            <input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
          </td>
        </tr>
      </tbody>
    </table>
  </div>
</form>

Text Content

Business

search close

 * Solutions
   * By Challenge
       
     * By Challenge
         
       * By Challenge
         Learn more
         
     * Understand, Prioritize & Mitigate Risks
         
       * Understand, Prioritize & Mitigate Risks
         
         Improve your risk posture with attack surface management
         
         Learn more
         
     * Protect Cloud-Native Apps
         
       * Protect Cloud-Native Apps
         
         Security that enables business outcomes
         
         Learn more
         
     * Protect Your Hybrid World
         
       * Protect Your Hybrid, Multi-Cloud World
         
         Gain visibility and meet business needs with security
         
         Learn more
         
     * Securing Your Borderless Workforce
         
       * Securing Your Borderless Workforce
         
         Connect with confidence from anywhere, on any device
         
         Learn more
         
     * Eliminate Network Blind Spots
         
       * Eliminate Network Blind Spots
         
         Secure users and key operations throughout your environment
         
         Learn more
         
     * See More. Respond Faster.
         
       * See More. Respond Faster.
         
         Move faster than your adversaries with powerful purpose-built XDR,
         attack surface risk management, and zero trust capabilities
         
         Learn more
         
     * Extend Your Team
         
       * Extend Your Team. Respond to Threats Agilely
         
         Maximize effectiveness with proactive risk reduction and managed
         services
         
         Learn more
         
     * Operationalizing Zero Trust
         
       * Operationalizing Zero Trust
         
         Understand your attack surface, assess your risk in real time, and
         adjust policies across network, workloads, and devices from a single
         console
         
         Learn more
         
   * By Role
       
     * By Role
         
       * By Role
         Learn more
         
     * CISO
         
       * CISO
         
         Drive business value with measurable cybersecurity outcomes
         
         Learn more
         
     * SOC Manager
         
       * SOC Manager
         
         See more, act faster
         
         Learn more
         
     * Infrastructure Manager
         
       * Infrastructure Manager
         
         Evolve your security to mitigate threats quickly and effectively
         
         Learn more
         
     * Cloud Builder and Developer
         
       * Cloud Builder and Developer
         
         Ensure code runs only as intended
         
         Learn more
         
     * Cloud Security Ops
         
       * Cloud Security Ops
         
         Gain visibility and control with security designed for cloud
         environments
         
         Learn more
         
   * By Industry
       
     * By Industry
         
       * By Industry
         Learn more
         
     * Healthcare
         
       * Healthcare
         
         Protect patient data, devices, and networks while meeting regulations
         
         Learn more
         
     * Manufacturing
         
       * Manufacturing
         
         Protecting your factory environments – from traditional devices to
         state-of-the-art infrastructures
         
         Learn more
         
     * Oil & Gas
         
       * Oil & Gas
         
         ICS/OT Security for the oil and gas utility industry
         
         Learn more
         
     * Electric Utility
         
       * Electric Utility
         
         ICS/OT Security for the electric utility
         
         Learn more
         
     * Federal
         
       * Federal
         Learn more
         
     * Automotive
         
       * Automotive
         Learn more
         
     * 5G Networks
         
       * 5G Networks
         Learn more
         
   * Small & Midsized Business Security
       
     * Small & Midsized Business Security
       
       Stop threats with comprehensive, set-it-and-forget-it protection
       
       Learn more
       
 * Platform
   * Vision One Platform
       
     * Vision One Platform
         
       * Trend Vision One
         Our Unified Platform
         
         Bridge threat protection and cyber risk management
         
         Learn more
         
     * AI Companion
         
       * Trend Vision One Companion
         
         Your generative AI cybersecurity assistant
         
         Learn more
         
   * Attack Surface Management
       
     * Attack Surface Management
       
       Stop breaches before they happen
       
       Learn more
       
   * XDR (Extended Detection & Response)
       
     * XDR (Extended Detection & Response)
       
       Stop adversaries faster with a broader perspective and better context to
       hunt, detect, investigate, and respond to threats from a single platform
       
       Learn more
       
   * Cloud Security
       
     * Cloud Security
         
       * Trend Vision One™
         Cloud Security Overview
         
         The most trusted cloud security platform for developers, security
         teams, and businesses
         
         Learn more
         
     * Attack Surface Risk Management for Cloud
         
       * Attack Surface Risk Management for Cloud
         
         Cloud asset discovery, vulnerability prioritization, Cloud Security
         Posture Management, and Attack Surface Management all in one
         
         Learn more
         
     * XDR for Cloud
         
       * XDR for Cloud
         
         Extend visibility to the cloud and streamline SOC investigations
         
         Learn more
         
     * Workload Security
         
       * Workload Security
         
         Secure your data center, cloud, and containers without compromising
         performance by leveraging a cloud security platform with CNAPP
         capabilities
         
         Learn more
         
     * Container Security
         
       * Container Security
         
         Simplify security for your cloud-native applications with advanced
         container image scanning, policy-based admission control, and container
         runtime protection
         
         Learn more
         
     * File Security
         
       * File Security
         
         Protect application workflow and cloud storage against advanced threats
         
         Learn more
         
   * Endpoint Security
       
     * Endpoint Security
         
       * Endpoint Security Overview
         
         Defend the endpoint through every stage of an attack
         
         Learn more
         
     * XDR for Endpoint
         
       * XDR for Endpoint
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Workload Security
         
       * Workload Security
         
         Optimized prevention, detection, and response for endpoints, servers,
         and cloud workloads
         
         Learn more
         
     * Industrial Endpoint Security
         
       * Industrial Endpoint Security
         Learn more
         
     * Mobile Security
         
       * Mobile Security
         
         On-premises and cloud protection against malware, malicious
         applications, and other mobile threats
         
         Learn more
         
   * Network Security
       
     * Network Security
         
       * Network Security Overview
         
         Expand the power of XDR with network detection and response
         
         Learn more
         
     * XDR for Network
         
       * XDR for Network
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Network Intrusion Prevention (IPS)
         
       * Network Intrusion Prevention (IPS)
         
         Protect against known, unknown, and undisclosed vulnerabilities in your
         network
         
         Learn more
         
     * Breach Detection System (BDS)
         
       * Breach Detection System (BDS)
         
         Detect and respond to targeted attacks moving inbound, outbound, and
         laterally
         
         Learn more
         
     * Secure Service Edge (SSE)
         
       * Secure Service Edge (SSE)
         
         Redefine trust and secure digital transformation with continuous risk
         assessments
         
         Learn more
         
     * Industrial Network Security
         
       * Industrial Network Security
         Learn more
         
     * 5G Network Security
         
       * 5G Network Security
         Learn more
         
   * Email Security
       
     * Email Security
         
       * Email Security
         
         Stop phishing, malware, ransomware, fraud, and targeted attacks from
         infiltrating your enterprise
         
         Learn more
         
     * Email and Collaboration Security
         
       * Trend Vision One™
         Email and Collaboration Security
         
         Stop phishing, ransomware, and targeted attacks on any email service
         including Microsoft 365 and Google Workspace
         
         Learn more
         
   * OT Security
       
     * OT Security
         
       * OT Security
         
         Learn about solutions for ICS / OT security.
         
         Learn more
         
     * XDR for OT
         
       * XDR for OT
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Industrial Network Security
         
       * Industrial Network Security
         Industrial Network Security
         
     * Industrial Endpoint Security
         
       * Industrial Endpoint Security
         Learn more
         
   * Threat Insights
       
     * Threat Insights
       
       See threats coming from miles away
       
       Learn more
       
   * Identity Security
       
     * Identity Security
       
       End-to-end identity security from identity posture management to
       detection and response
       
       Learn more
       
   * On-Premises Data Sovereignty
       
     * On-Premises Data Sovereignty
       
       Prevent, detect, respond and protect without compromising data
       sovereignty
       
       Learn more
       
   * All Products, Services, and Trials
       
     * All Products, Services, and Trials
       Learn more
       
 * Research
   * Research
       
     * Research
         
       * Research
         Learn more
         
     * Research, News, and Perspectives
         
       * Research, News, and Perspectives
         Learn more
         
     * Research and Analysis
         
       * Research and Analysis
         Learn more
         
     * Security News
         
       * Security News
         Learn more
         
     * Zero Day Initiatives (ZDI)
         
       * Zero Day Initiatives (ZDI)
         Learn more
         
 * Services
   * Our Services
       
     * Our Services
         
       * Our Services
         Learn more
         
     * Service Packages
         
       * Service Packages
         
         Augment security teams with 24/7/365 managed detection, response, and
         support
         
         Learn more
         
     * Managed XDR
         
       * Managed XDR
         
         Augment threat detection with expertly managed detection and response
         (MDR) for email, endpoints, servers, cloud workloads, and networks
         
         Learn more
         
     * Incident Response
         
       * Incident Response
           
         * Incident Response
           
           Our trusted experts are on call whether you're experiencing a breach
           or looking to proactively improve your IR plans
           
           Learn more
           
       * Insurance Carriers and Law Firms
           
         * Insurance Carriers and Law Firms
           
           Stop breaches with the best response and detection technology on the
           market and reduce clients’ downtime and claim costs
           
           Learn more
           
     * Support Services
         
       * Support Services
         Learn more
         
 * Partners
   * Partner Program
       
     * Partner Program
         
       * Partner Program Overview
         
         Grow your business and protect your customers with the best-in-class
         complete, multilayered security
         
         Learn more
         
     * Managed Security Service Provider
         
       * Managed Security Service Provider
         
         Deliver modern security operations services with our industry-leading
         XDR
         
         Learn more
         
     * Managed Service Provider
         
       * Managed Service Provider
         
         Partner with a leading expert in cybersecurity, leverage proven
         solutions designed for MSPs
         
         Learn more
         
     * Cloud Service Provider
         
       * Cloud Service Provider
         
         Add market-leading security to your cloud service offerings – no matter
         which platform you use
         
         Learn more
         
     * Professional Services
         
       * Professional Services
         
         Increase revenue with industry-leading security
         
         Learn more
         
     * Resellers
         
       * Resellers
         
         Discover the possibilities
         
         Learn more
         
     * Marketplace
         
       * Marketplace
         Learn more
         
     * System Integrators
         
       * System Integrators
         Learn more
         
   * Alliance Partners
       
     * Alliance Partners
         
       * Alliance Overview
         
         We work with the best to help you optimize performance and value
         
         Learn more
         
     * Technology Alliance Partners
         
       * Technology Alliance Partners
         Learn more
         
     * Our Alliance Partners
         
       * Our Alliance Partners
         Learn more
         
   * Partner Tools
       
     * Partner Tools
         
       * Partner Tools
         Learn more
         
     * Partner Login
         
       * Partner Login
         Login
         
     * Education and Certification
         
       * Education and Certification
         Learn more
         
     * Partner Successes
         
       * Partner Successes
         Learn more
         
     * Distributors
         
       * Distributors
         Learn more
         
     * Find a Partner
         
       * Find a Partner
         Learn more
         
 * Company
   * Why Trend Micro
       
     * Why Trend Micro
         
       * Why Trend Micro
         Learn more
         
     * Customer Success Stories
         
       * Customer Success Stories
         Learn more
         
     * The Human Connection
         
       * The Human Connection
         Learn more
         
     * Industry Accolades
         
       * Industry Accolades
         Learn more
         
     * Strategic Alliances
         
       * Strategic Alliances
         Learn more
         
   * Compare Trend Micro
       
     * Compare Trend Micro
         
       * Compare Trend Micro
         
         See how Trend outperforms the competition
         
         Let's go
         
     * vs. Crowdstrike
         
       * Trend Micro vs. Crowdstrike
         
         Crowdstrike provides effective cybersecurity through its cloud-native
         platform, but its pricing may stretch budgets, especially for
         organizations seeking cost-effective scalability through a true single
         platform
         
         Let's go
         
     * vs. Microsoft
         
       * Trend Micro vs. Microsoft
         
         Microsoft offers a foundational layer of protection, yet it often
         requires supplemental solutions to fully address customers' security
         problems
         
         Let's go
         
     * vs. Palo Alto Networks
         
       * Trend Micro vs. Palo Alto Networks
         
         Palo Alto Networks delivers advanced cybersecurity solutions, but
         navigating its comprehensive suite can be complex and unlocking all
         capabilities requires significant investment
         
         Let's go
         
   * About Us
       
     * About Us
         
       * About Us
         Learn more
         
     * Trust Center
         
       * Trust Center
         Learn more
         
     * History
         
       * History
         Learn more
         
     * Diversity, Equity and Inclusion
         
       * Diversity, Equity and Inclusion
         Learn more
         
     * Corporate Social Responsibility
         
       * Corporate Social Responsibility
         Learn more
         
     * Leadership
         
       * Leadership
         Learn more
         
     * Security Experts
         
       * Security Experts
         Learn more
         
     * Internet Safety and Cybersecurity Education
         
       * Internet Safety and Cybersecurity Education
         Learn more
         
     * Legal
         
       * Legal
         Learn more
         
     * Investors
         
       * Investors
         Learn more
         
     * Formula E Racing
         
       * Formula E Racing
         Learn more
         
   * Connect With Us
       
     * Connect With Us
         
       * Connect With Us
         Learn more
         
     * Newsroom
         
       * Newsroom
         Learn more
         
     * Events
         
       * Events
         Learn more
         
     * Careers
         
       * Careers
         Learn more
         
     * Webinars
         
       * Webinars
         Learn more
         

Back

Back

Back

Back

 * Free Trials
 * Contact Us

Looking for home solutions?
Under Attack?
4 Alerts

Back
Unread
All


 * Imagine with AI. Secure with Trend.
   
   close
   
   Get expert insight >

 * Confidence in GenAI: The Zero Trust Approach
   
   close
   
   Read blog >

 * Trend 2024 Midyear Cybersecurity Threat Report
   
   close
   
   Read findings >

 * Pressing Pause on a Play Ransomware Attack with Managed Detection and
   Response
   
   close
   
   Read more >

Folio (0)
Support
 * Business Support Portal
 * Education and Certification
 * Contact Support
 * Find a Support Partner

Resources
 * AI Hub
 * Trend Micro vs. Competition
 * Cyber Risk Index/Assessment
 * CISO Resource Center
 * DevOps Resource Center
 * What Is?
 * Threat Encyclopedia
 * Cloud Health Assessment
 * Cyber Insurance
 * Glossary of Terms
 * Webinars

Log In
 * Vision One
 * Support
 * Partner Portal
 * Cloud One
 * Product Activation and Management
 * Referral Affiliate

Back

arrow_back
search



close

Content has been added to your Folio

Go to Folio (0) close

Malware


EARTH LUSCA USES KTLVDOOR BACKDOOR FOR MULTIPLATFORM INTRUSION

While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor,
a highly obfuscated multiplatform backdoor, as part of a large-scale attack
campaign.

By: Cedric Pernet, Jaromir Horejsi September 04, 2024 Read time: 6 min (1736
words)

Save to Folio

Subscribe

--------------------------------------------------------------------------------

SUMMARY

 * During our monitoring of the Chinese-speaking threat actor Earth Lusca, we
   discovered a new multiplatform backdoor written in Golang, named KTLVdoor,
   which has both Microsoft Windows and Linux versions.
 * KTLVdoor is a highly obfuscated malware that masquerades as different system
   utilities, allowing attackers to carry out a variety of tasks including file
   manipulation, command execution, and remote port scanning.
 * The malware's configuration and communication involve sophisticated
   encryption and obfuscation techniques to hinder malware analysis.
 * The scale of the attack campaign is significant, with over 50 C&C servers
   found hosted at a China-based company; it remains unclear whether the entire
   infrastructure is exclusive to Earth Lusca or shared with other threat
   actors.

We discovered a new multiplatform backdoor written in Golang that we named
KTLVdoor while monitoring Earth Lusca, a Chinese-speaking threat actor we had
previously covered. Our investigation also uncovered both Microsoft Windows and
Linux versions of this new malware family.

This previously unreported malware is more complex than the usual tools used by
the threat actor. It is highly obfuscated and is being spread in the wild
impersonating various system utilities names or similar tools, such as sshd,
java, sqlite, bash, edr-agent, and more. The backdoor (agent) is usually
distributed as a dynamic library (DLL, SO).  The malware features enable the
attackers to fully control the environment: run commands, manipulate files,
provide system and network information, using proxies, download/upload files,
scan remote ports and more.

The scale of the attack campaign is surprising, as we were able to find more
than 50 C&C servers, all hosted at Alibaba in China, communicating with variants
of the malware family. While some of those malware samples are tied to Earth
Lusca with high confidence, we cannot be sure that the whole infrastructure is
used solely by this threat actor. The infrastructure might be shared with other
Chinese-speaking threat actors.

We could only find one target of the operation for the moment, a trading company
based in China. It is not the first time a Chinese-speaking threat actor has
targeted a Chinese company; groups like Iron Tiger and Void Arachne have
likewise used tools aimed specifically at Chinese-language speakers.

KTLVDOOR MALWARE ANALYSIS

HIGHLY OBFUSCATED

Most of the samples discovered in this campaign are obfuscated: embedded strings
are not directly readable, symbols are stripped and most of the functions and
packages were renamed to random Base64-like looking strings, in an obvious
effort from the developers to slow down the malware analysis (Figure 1).

Figure 1. Obfuscated function names as shown in decompiler

CONFIGURATION

The first step is the initialization of the agent’s configuration parameters.
The initialization values are XOR-encrypted and Base64-encoded in the agent’s
binary (Figure 2). 

Figure 2. Example of the decrypted configuration

The configuration’s file format is a custom TLV-like (length-type-length-value)
format. The “KTLV” marker is usually prepended with four-byte length of the
structure and behaves like a marker of the beginning of the structure. Then, a
list of parameters and their values follows. From Figure 3, you can notice a
“proto” parameter, which is five bytes long (notice 05 followed by proto string,
followed by type 02 ( = string ), followed by length 04 ( = 4 bytes ), followed
by string http, which is the protocol parameter value.

Figure 3. Parameter proto, type string (02), value http, as stored in
configuration file
Figure 4. Parameter sleep, type long long (08), value 0x7530 = 30 000
milliseconds = 30 seconds, as stored in configuration file

The supported type formats are shown in Table 1:

Value Type 01 structure/iteration (followed by KTLV marker) 02 string 03 boolean
(1byte) 08 long long (8 bytes) 09 integer (4 bytes) 0B byte (1 byte)

Table 1. Supported value type formats

The configuration file may contain the following parameters, as shown in Table
2:

Parameter name Type Description/comment listen string active mode (default) /
passive mode connect string Encrypted C&C servers duplex boolean Simplex or
duplex delivery conn_timeout long long   max_read_limit long long  
conn_max_retry long long   proxy string   proto string http, tcp, dns, icmp
domain string   host string   secret string To decrypt value(s) of “connect” tls
boolean Enabled or disabled stls boolean Enabled or disabled sleep long long  
jitter long long Sleep time variation silent boolean   long_connection_boundary
long long   short_connection_wait_time long long   client_id string Hardcoded
GUID of target external_channel_enabled boolean Should get external IP or not
external_type string   auth_param struct Contains “http_header” and “uri”
http_header string   uri string Request’s URL path debug boolean Enabled or
disabled

Table 2. Supported configuration parameters

The configuration is processed, and the internal configuration structure
(Config) is updated. Part of the Config structure is the HostInfo structure,
which also contains additional parameters about the currently infected machine
(Table 3). These structures are updated based on the current machine
environment.

Parameter name Type Description/comment Session string Randomly generated GUID
during each run RealIP string Obtained from ipconfig / ifconfig Username string
  Hostname string   ProcessName string   Executable string   PID uint32 Process
ID ParentProcessName string   PPID uint32 Parent process ID Arch string 32 or 64
bit OS string OS name Platform string OS name + version Disks string List of
available disks DiskDetails string List of available disks + their sizes Uptime
string   Feature string MachineGuid from HKLM\SOFTWARE\Microsoft\Cryptography
Protocol string Value from the config Proxy string Value from the config Domain
string Value from the config Host string Value from the config TLSEnable boolean
Value from the config STLSEnable boolean Value from the config ExternalIP string
External IP address obtained via http://myip.ipip.net; only if
external_channel_enabled set SleepTime uint64 Value from the config Jitter
uint64 Value from the config ReConnectTime uint64 Value from the config Env
string Environment variables ClientID string Value from the config IsAdmin
boolean True or false Mode string Active or passive

Table 3. HostInfo parameters

CONNECTION SETTINGS

The C&C server(s) are stored in the “connect” value. The value is
AES-GCM-encrypted and Base64-encoded. The AES-GCM method uses a standard
prepended 12-byte nonce and appended 16-byte tag. The AES-GCM key is derived
from a “secret” value by computing the MD5 hash of it and using key padding
(extending the key size) to 32-bytes by appending 16 zeroes (0x00 bytes) to it.

KTLVDOOR MALWARE COMMUNICATION

After the initialization steps are completed, the agent starts a communication
loop with the C&C server. The communication is done by sending and receiving
messages, which are GZIP-compressed and AES-GCM-encrypted. Based on the
configuration settings, the message delivery can be either in simplex mode (one
device on channel can only send, another device on the channel can only receive)
or in duplex mode (both devices can simultaneously send and receive messages).

Each message contains a message header followed by the message data (msg).

Field name Field type Field value sender String Session ID or admin receiver
String Session ID or admin token String   route String   task_id uint64  
task_status uint8   task_type uint64   sub_task_type uint64  

Table 4. Message header fields
Figure 5. Message with OS info sent to the C&C server

Notice that the sender of this outgoing message (from the infected machine to
the C&C server) has the session ID of the currently infected machine. The
receiver is “admin”, which is the C&C server. In the case of the incoming
message (from the C&C server to the infected machine), the “sender” is “admin”
and the “receiver” is the session ID. In the case of sending the HostInfo
message to the C&C server, notice that the parameter name “msg” (containing
message content) followed by “KTLV” marker (Figure 5), which contains all the
fields from HostInfo structure (Table 4).

RECEIVING TASK

The agent implements several handlers for processing received tasks from the C&C
server (Table 5).

Handler Subtasks Parameters Description Breakchain   shell
flag
cmd
abs_path Start terminal
Run command
Wait three seconds
Kill terminal (SIGKILL) Exit     Exit process FileDownload   file_path
section_size Read file
Upload it to C&C FileMD5   file_path Read file
Compute MD5 hash FileManager 01 - list all files
02 - Create dir
03 - Create file
04 - Delete file
05 - Copy file
06 - Rename
07 - Write file
08 - Read file
09 - Change access permissions dirName
OR
file_path
OR
dst_path
src_path
OR
file_path
file_content
OR
mode File and directory operations FileUpload   file_path
file_contents
position Write data from server to file on victim machine GC     Run garbage
collection InteractiveShell   send
data
OR
start
OR
stop
OR
recv   NetStat 01 - list connections     PortScan   gateway
ips
ports
    Process 01 - list
02 - kill pid   RefreshHostInfo       Run   cmdn! Run command Sleep   sleep_time
jitter   TimeStomp   src_path
dst_path
time   TaskCache 01 - list of tasks
02 - delete task
03 - clear task cache task_id
    SoInject 04 -  inject to library plugin_task_type
tmp_payload_cache
params Run shellcode, Linux platform ReflectDllInject     Run shellcode, Windows
platform Socks 01 – start handler
02 – get task
04 – data via TCP
05 – close TCP
06 – data via UDP
08 – connect to address via UDP seq
addr
username
password
OR
task_id
OR
seq
data
  Socks proxy

Table 5. Handlers for processing tasks from C&C server

PortScan implements many scanning methods, including:

 * ScanTCP
 * ScanRDP
 * ScanWinRM
 * ScanSmb2
 * RdpWithNTLM
 * DialTLS
 * DialTCP
 * ScanPing
 * ScanPing
 * ScanMssql
 * ScanBanner
 * ScanWeb

CONCLUSION

We have been able to tie samples of KTLVdoor to the threat actor Earth Lusca
with high confidence. However, we were not able to tie several other samples of
this malware family to this threat actor. In addition, the size of the
infrastructure we have been able to discover is very unusual. Seeing that all
C&C servers were on IP addresses from China-based provider Alibaba, we wonder if
the whole appearance of this new malware and the C&C server could not be some
early stage of testing new tooling.

This new tool is used by Earth Lusca, but it might also be shared with other
Chinese-speaking threat actors. While a lot of details on this campaign are not
yet known, we will keep monitoring this activity and possibly give updates about
it at a later time.

TREND SOLUTIONS

Organizations looking to defend themselves from sophisticated attacks can
consider powerful security technologies such as Trend Vision One™, which allows
security teams to continuously identify attack surfaces, including both known
and unknown, plus managed and unmanaged cyber assets. Vision One™ offers
multilayered protection and behavior detection, helping block malicious tools
and services before they can inflict damage on user machines and systems.

INDICATORS OF COMPROMISE (IOCS)

The full list of IOCs can be found here.

Tags
Malware | Articles, News, Reports | Research


AUTHORS

 * Cedric Pernet
   
   Sr. Threat Researcher

 * Jaromir Horejsi
   
   Threat Researcher

Contact Us
Subscribe


RELATED ARTICLES

 * Why NDR is Key to Cyber 'Pest Control'
 * How AI Goes Rogue
 * Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence

See all articles


Experience our unified platform for free


 * Claim your 30-day trial

 * 
 * 
 * 
 * 
 * 


RESOURCES

 * Blog
 * Newsroom
 * Threat Reports
 * DevOps Resource Center
 * CISO Resource Center
 * Find a Partner


SUPPORT

 * Business Support Portal
 * Contact Us
 * Downloads
 * Free Trials
 * 
 * 


ABOUT TREND

 * About Us
 * Careers
 * Locations
 * Upcoming Events
 * Trust Center
 * 

Country Headquarters

Trend Micro - United States (US)

225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062

Phone: +1 (817) 569-8900

Select a country / region

United States expand_more
close

THE AMERICAS

 * United States
 * Brasil
 * Canada
 * México

MIDDLE EAST & AFRICA

 * South Africa
 * Middle East and North Africa

EUROPE

 * België (Belgium)
 * Česká Republika
 * Danmark
 * Deutschland, Österreich Schweiz
 * España
 * France
 * Ireland
 * Italia
 * Nederland
 * Norge (Norway)
 * Polska (Poland)
 * Suomi (Finland)
 * Sverige (Sweden)
 * Türkiye (Turkey)
 * United Kingdom

ASIA & PACIFIC

 * Australia
 * Центральная Азия (Central Asia)
 * Hong Kong (English)
 * 香港 (中文) (Hong Kong)
 * भारत गणराज्य (India)
 * Indonesia
 * 日本 (Japan)
 * 대한민국 (South Korea)
 * Malaysia
 * Монголия (Mongolia) and рузия (Georgia)
 * New Zealand
 * Philippines
 * Singapore
 * 台灣 (Taiwan)
 * ประเทศไทย (Thailand)
 * Việt Nam

Privacy | Legal | Accessibility | Site map

Copyright ©2024 Trend Micro Incorporated. All rights reserved

Copyright ©2024 Trend Micro Incorporated. All rights reserved


sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept

✓
Danke für das Teilen!
AddToAny
Mehr…


word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word

mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1

BDOW!