www.trendmicro.com
Open in
urlscan Pro
23.206.209.41
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html
Submission: On September 05 via api from TR — Scanned from DE
Submission: On September 05 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOM<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>
Text Content
Business search close * Solutions * By Challenge * By Challenge * By Challenge Learn more * Understand, Prioritize & Mitigate Risks * Understand, Prioritize & Mitigate Risks Improve your risk posture with attack surface management Learn more * Protect Cloud-Native Apps * Protect Cloud-Native Apps Security that enables business outcomes Learn more * Protect Your Hybrid World * Protect Your Hybrid, Multi-Cloud World Gain visibility and meet business needs with security Learn more * Securing Your Borderless Workforce * Securing Your Borderless Workforce Connect with confidence from anywhere, on any device Learn more * Eliminate Network Blind Spots * Eliminate Network Blind Spots Secure users and key operations throughout your environment Learn more * See More. Respond Faster. * See More. Respond Faster. Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities Learn more * Extend Your Team * Extend Your Team. Respond to Threats Agilely Maximize effectiveness with proactive risk reduction and managed services Learn more * Operationalizing Zero Trust * Operationalizing Zero Trust Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console Learn more * By Role * By Role * By Role Learn more * CISO * CISO Drive business value with measurable cybersecurity outcomes Learn more * SOC Manager * SOC Manager See more, act faster Learn more * Infrastructure Manager * Infrastructure Manager Evolve your security to mitigate threats quickly and effectively Learn more * Cloud Builder and Developer * Cloud Builder and Developer Ensure code runs only as intended Learn more * Cloud Security Ops * Cloud Security Ops Gain visibility and control with security designed for cloud environments Learn more * By Industry * By Industry * By Industry Learn more * Healthcare * Healthcare Protect patient data, devices, and networks while meeting regulations Learn more * Manufacturing * Manufacturing Protecting your factory environments – from traditional devices to state-of-the-art infrastructures Learn more * Oil & Gas * Oil & Gas ICS/OT Security for the oil and gas utility industry Learn more * Electric Utility * Electric Utility ICS/OT Security for the electric utility Learn more * Federal * Federal Learn more * Automotive * Automotive Learn more * 5G Networks * 5G Networks Learn more * Small & Midsized Business Security * Small & Midsized Business Security Stop threats with comprehensive, set-it-and-forget-it protection Learn more * Platform * Vision One Platform * Vision One Platform * Trend Vision One Our Unified Platform Bridge threat protection and cyber risk management Learn more * AI Companion * Trend Vision One Companion Your generative AI cybersecurity assistant Learn more * Attack Surface Management * Attack Surface Management Stop breaches before they happen Learn more * XDR (Extended Detection & Response) * XDR (Extended Detection & Response) Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Cloud Security * Cloud Security * Trend Vision One™ Cloud Security Overview The most trusted cloud security platform for developers, security teams, and businesses Learn more * Attack Surface Risk Management for Cloud * Attack Surface Risk Management for Cloud Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one Learn more * XDR for Cloud * XDR for Cloud Extend visibility to the cloud and streamline SOC investigations Learn more * Workload Security * Workload Security Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities Learn more * Container Security * Container Security Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection Learn more * File Security * File Security Protect application workflow and cloud storage against advanced threats Learn more * Endpoint Security * Endpoint Security * Endpoint Security Overview Defend the endpoint through every stage of an attack Learn more * XDR for Endpoint * XDR for Endpoint Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Workload Security * Workload Security Optimized prevention, detection, and response for endpoints, servers, and cloud workloads Learn more * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Mobile Security * Mobile Security On-premises and cloud protection against malware, malicious applications, and other mobile threats Learn more * Network Security * Network Security * Network Security Overview Expand the power of XDR with network detection and response Learn more * XDR for Network * XDR for Network Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Network Intrusion Prevention (IPS) * Network Intrusion Prevention (IPS) Protect against known, unknown, and undisclosed vulnerabilities in your network Learn more * Breach Detection System (BDS) * Breach Detection System (BDS) Detect and respond to targeted attacks moving inbound, outbound, and laterally Learn more * Secure Service Edge (SSE) * Secure Service Edge (SSE) Redefine trust and secure digital transformation with continuous risk assessments Learn more * Industrial Network Security * Industrial Network Security Learn more * 5G Network Security * 5G Network Security Learn more * Email Security * Email Security * Email Security Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise Learn more * Email and Collaboration Security * Trend Vision One™ Email and Collaboration Security Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace Learn more * OT Security * OT Security * OT Security Learn about solutions for ICS / OT security. Learn more * XDR for OT * XDR for OT Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Industrial Network Security * Industrial Network Security Industrial Network Security * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Threat Insights * Threat Insights See threats coming from miles away Learn more * Identity Security * Identity Security End-to-end identity security from identity posture management to detection and response Learn more * On-Premises Data Sovereignty * On-Premises Data Sovereignty Prevent, detect, respond and protect without compromising data sovereignty Learn more * All Products, Services, and Trials * All Products, Services, and Trials Learn more * Research * Research * Research * Research Learn more * Research, News, and Perspectives * Research, News, and Perspectives Learn more * Research and Analysis * Research and Analysis Learn more * Security News * Security News Learn more * Zero Day Initiatives (ZDI) * Zero Day Initiatives (ZDI) Learn more * Services * Our Services * Our Services * Our Services Learn more * Service Packages * Service Packages Augment security teams with 24/7/365 managed detection, response, and support Learn more * Managed XDR * Managed XDR Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks Learn more * Incident Response * Incident Response * Incident Response Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans Learn more * Insurance Carriers and Law Firms * Insurance Carriers and Law Firms Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs Learn more * Support Services * Support Services Learn more * Partners * Partner Program * Partner Program * Partner Program Overview Grow your business and protect your customers with the best-in-class complete, multilayered security Learn more * Managed Security Service Provider * Managed Security Service Provider Deliver modern security operations services with our industry-leading XDR Learn more * Managed Service Provider * Managed Service Provider Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs Learn more * Cloud Service Provider * Cloud Service Provider Add market-leading security to your cloud service offerings – no matter which platform you use Learn more * Professional Services * Professional Services Increase revenue with industry-leading security Learn more * Resellers * Resellers Discover the possibilities Learn more * Marketplace * Marketplace Learn more * System Integrators * System Integrators Learn more * Alliance Partners * Alliance Partners * Alliance Overview We work with the best to help you optimize performance and value Learn more * Technology Alliance Partners * Technology Alliance Partners Learn more * Our Alliance Partners * Our Alliance Partners Learn more * Partner Tools * Partner Tools * Partner Tools Learn more * Partner Login * Partner Login Login * Education and Certification * Education and Certification Learn more * Partner Successes * Partner Successes Learn more * Distributors * Distributors Learn more * Find a Partner * Find a Partner Learn more * Company * Why Trend Micro * Why Trend Micro * Why Trend Micro Learn more * Customer Success Stories * Customer Success Stories Learn more * The Human Connection * The Human Connection Learn more * Industry Accolades * Industry Accolades Learn more * Strategic Alliances * Strategic Alliances Learn more * Compare Trend Micro * Compare Trend Micro * Compare Trend Micro See how Trend outperforms the competition Let's go * vs. Crowdstrike * Trend Micro vs. Crowdstrike Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform Let's go * vs. Microsoft * Trend Micro vs. Microsoft Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems Let's go * vs. Palo Alto Networks * Trend Micro vs. Palo Alto Networks Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment Let's go * About Us * About Us * About Us Learn more * Trust Center * Trust Center Learn more * History * History Learn more * Diversity, Equity and Inclusion * Diversity, Equity and Inclusion Learn more * Corporate Social Responsibility * Corporate Social Responsibility Learn more * Leadership * Leadership Learn more * Security Experts * Security Experts Learn more * Internet Safety and Cybersecurity Education * Internet Safety and Cybersecurity Education Learn more * Legal * Legal Learn more * Investors * Investors Learn more * Formula E Racing * Formula E Racing Learn more * Connect With Us * Connect With Us * Connect With Us Learn more * Newsroom * Newsroom Learn more * Events * Events Learn more * Careers * Careers Learn more * Webinars * Webinars Learn more Back Back Back Back * Free Trials * Contact Us Looking for home solutions? Under Attack? 4 Alerts Back Unread All * Imagine with AI. Secure with Trend. close Get expert insight > * Confidence in GenAI: The Zero Trust Approach close Read blog > * Trend 2024 Midyear Cybersecurity Threat Report close Read findings > * Pressing Pause on a Play Ransomware Attack with Managed Detection and Response close Read more > Folio (0) Support * Business Support Portal * Education and Certification * Contact Support * Find a Support Partner Resources * AI Hub * Trend Micro vs. Competition * Cyber Risk Index/Assessment * CISO Resource Center * DevOps Resource Center * What Is? * Threat Encyclopedia * Cloud Health Assessment * Cyber Insurance * Glossary of Terms * Webinars Log In * Vision One * Support * Partner Portal * Cloud One * Product Activation and Management * Referral Affiliate Back arrow_back search close Content has been added to your Folio Go to Folio (0) close Malware EARTH LUSCA USES KTLVDOOR BACKDOOR FOR MULTIPLATFORM INTRUSION While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. By: Cedric Pernet, Jaromir Horejsi September 04, 2024 Read time: 6 min (1736 words) Save to Folio Subscribe -------------------------------------------------------------------------------- SUMMARY * During our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions. * KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning. * The malware's configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis. * The scale of the attack campaign is significant, with over 50 C&C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors. We discovered a new multiplatform backdoor written in Golang that we named KTLVdoor while monitoring Earth Lusca, a Chinese-speaking threat actor we had previously covered. Our investigation also uncovered both Microsoft Windows and Linux versions of this new malware family. This previously unreported malware is more complex than the usual tools used by the threat actor. It is highly obfuscated and is being spread in the wild impersonating various system utilities names or similar tools, such as sshd, java, sqlite, bash, edr-agent, and more. The backdoor (agent) is usually distributed as a dynamic library (DLL, SO). The malware features enable the attackers to fully control the environment: run commands, manipulate files, provide system and network information, using proxies, download/upload files, scan remote ports and more. The scale of the attack campaign is surprising, as we were able to find more than 50 C&C servers, all hosted at Alibaba in China, communicating with variants of the malware family. While some of those malware samples are tied to Earth Lusca with high confidence, we cannot be sure that the whole infrastructure is used solely by this threat actor. The infrastructure might be shared with other Chinese-speaking threat actors. We could only find one target of the operation for the moment, a trading company based in China. It is not the first time a Chinese-speaking threat actor has targeted a Chinese company; groups like Iron Tiger and Void Arachne have likewise used tools aimed specifically at Chinese-language speakers. KTLVDOOR MALWARE ANALYSIS HIGHLY OBFUSCATED Most of the samples discovered in this campaign are obfuscated: embedded strings are not directly readable, symbols are stripped and most of the functions and packages were renamed to random Base64-like looking strings, in an obvious effort from the developers to slow down the malware analysis (Figure 1). Figure 1. Obfuscated function names as shown in decompiler CONFIGURATION The first step is the initialization of the agent’s configuration parameters. The initialization values are XOR-encrypted and Base64-encoded in the agent’s binary (Figure 2). Figure 2. Example of the decrypted configuration The configuration’s file format is a custom TLV-like (length-type-length-value) format. The “KTLV” marker is usually prepended with four-byte length of the structure and behaves like a marker of the beginning of the structure. Then, a list of parameters and their values follows. From Figure 3, you can notice a “proto” parameter, which is five bytes long (notice 05 followed by proto string, followed by type 02 ( = string ), followed by length 04 ( = 4 bytes ), followed by string http, which is the protocol parameter value. Figure 3. Parameter proto, type string (02), value http, as stored in configuration file Figure 4. Parameter sleep, type long long (08), value 0x7530 = 30 000 milliseconds = 30 seconds, as stored in configuration file The supported type formats are shown in Table 1: Value Type 01 structure/iteration (followed by KTLV marker) 02 string 03 boolean (1byte) 08 long long (8 bytes) 09 integer (4 bytes) 0B byte (1 byte) Table 1. Supported value type formats The configuration file may contain the following parameters, as shown in Table 2: Parameter name Type Description/comment listen string active mode (default) / passive mode connect string Encrypted C&C servers duplex boolean Simplex or duplex delivery conn_timeout long long max_read_limit long long conn_max_retry long long proxy string proto string http, tcp, dns, icmp domain string host string secret string To decrypt value(s) of “connect” tls boolean Enabled or disabled stls boolean Enabled or disabled sleep long long jitter long long Sleep time variation silent boolean long_connection_boundary long long short_connection_wait_time long long client_id string Hardcoded GUID of target external_channel_enabled boolean Should get external IP or not external_type string auth_param struct Contains “http_header” and “uri” http_header string uri string Request’s URL path debug boolean Enabled or disabled Table 2. Supported configuration parameters The configuration is processed, and the internal configuration structure (Config) is updated. Part of the Config structure is the HostInfo structure, which also contains additional parameters about the currently infected machine (Table 3). These structures are updated based on the current machine environment. Parameter name Type Description/comment Session string Randomly generated GUID during each run RealIP string Obtained from ipconfig / ifconfig Username string Hostname string ProcessName string Executable string PID uint32 Process ID ParentProcessName string PPID uint32 Parent process ID Arch string 32 or 64 bit OS string OS name Platform string OS name + version Disks string List of available disks DiskDetails string List of available disks + their sizes Uptime string Feature string MachineGuid from HKLM\SOFTWARE\Microsoft\Cryptography Protocol string Value from the config Proxy string Value from the config Domain string Value from the config Host string Value from the config TLSEnable boolean Value from the config STLSEnable boolean Value from the config ExternalIP string External IP address obtained via http://myip.ipip.net; only if external_channel_enabled set SleepTime uint64 Value from the config Jitter uint64 Value from the config ReConnectTime uint64 Value from the config Env string Environment variables ClientID string Value from the config IsAdmin boolean True or false Mode string Active or passive Table 3. HostInfo parameters CONNECTION SETTINGS The C&C server(s) are stored in the “connect” value. The value is AES-GCM-encrypted and Base64-encoded. The AES-GCM method uses a standard prepended 12-byte nonce and appended 16-byte tag. The AES-GCM key is derived from a “secret” value by computing the MD5 hash of it and using key padding (extending the key size) to 32-bytes by appending 16 zeroes (0x00 bytes) to it. KTLVDOOR MALWARE COMMUNICATION After the initialization steps are completed, the agent starts a communication loop with the C&C server. The communication is done by sending and receiving messages, which are GZIP-compressed and AES-GCM-encrypted. Based on the configuration settings, the message delivery can be either in simplex mode (one device on channel can only send, another device on the channel can only receive) or in duplex mode (both devices can simultaneously send and receive messages). Each message contains a message header followed by the message data (msg). Field name Field type Field value sender String Session ID or admin receiver String Session ID or admin token String route String task_id uint64 task_status uint8 task_type uint64 sub_task_type uint64 Table 4. Message header fields Figure 5. Message with OS info sent to the C&C server Notice that the sender of this outgoing message (from the infected machine to the C&C server) has the session ID of the currently infected machine. The receiver is “admin”, which is the C&C server. In the case of the incoming message (from the C&C server to the infected machine), the “sender” is “admin” and the “receiver” is the session ID. In the case of sending the HostInfo message to the C&C server, notice that the parameter name “msg” (containing message content) followed by “KTLV” marker (Figure 5), which contains all the fields from HostInfo structure (Table 4). RECEIVING TASK The agent implements several handlers for processing received tasks from the C&C server (Table 5). Handler Subtasks Parameters Description Breakchain shell flag cmd abs_path Start terminal Run command Wait three seconds Kill terminal (SIGKILL) Exit Exit process FileDownload file_path section_size Read file Upload it to C&C FileMD5 file_path Read file Compute MD5 hash FileManager 01 - list all files 02 - Create dir 03 - Create file 04 - Delete file 05 - Copy file 06 - Rename 07 - Write file 08 - Read file 09 - Change access permissions dirName OR file_path OR dst_path src_path OR file_path file_content OR mode File and directory operations FileUpload file_path file_contents position Write data from server to file on victim machine GC Run garbage collection InteractiveShell send data OR start OR stop OR recv NetStat 01 - list connections PortScan gateway ips ports Process 01 - list 02 - kill pid RefreshHostInfo Run cmdn! Run command Sleep sleep_time jitter TimeStomp src_path dst_path time TaskCache 01 - list of tasks 02 - delete task 03 - clear task cache task_id SoInject 04 - inject to library plugin_task_type tmp_payload_cache params Run shellcode, Linux platform ReflectDllInject Run shellcode, Windows platform Socks 01 – start handler 02 – get task 04 – data via TCP 05 – close TCP 06 – data via UDP 08 – connect to address via UDP seq addr username password OR task_id OR seq data Socks proxy Table 5. Handlers for processing tasks from C&C server PortScan implements many scanning methods, including: * ScanTCP * ScanRDP * ScanWinRM * ScanSmb2 * RdpWithNTLM * DialTLS * DialTCP * ScanPing * ScanPing * ScanMssql * ScanBanner * ScanWeb CONCLUSION We have been able to tie samples of KTLVdoor to the threat actor Earth Lusca with high confidence. However, we were not able to tie several other samples of this malware family to this threat actor. In addition, the size of the infrastructure we have been able to discover is very unusual. Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling. This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors. While a lot of details on this campaign are not yet known, we will keep monitoring this activity and possibly give updates about it at a later time. TREND SOLUTIONS Organizations looking to defend themselves from sophisticated attacks can consider powerful security technologies such as Trend Vision One™, which allows security teams to continuously identify attack surfaces, including both known and unknown, plus managed and unmanaged cyber assets. Vision One™ offers multilayered protection and behavior detection, helping block malicious tools and services before they can inflict damage on user machines and systems. INDICATORS OF COMPROMISE (IOCS) The full list of IOCs can be found here. Tags Malware | Articles, News, Reports | Research AUTHORS * Cedric Pernet Sr. Threat Researcher * Jaromir Horejsi Threat Researcher Contact Us Subscribe RELATED ARTICLES * Why NDR is Key to Cyber 'Pest Control' * How AI Goes Rogue * Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence See all articles Experience our unified platform for free * Claim your 30-day trial * * * * * RESOURCES * Blog * Newsroom * Threat Reports * DevOps Resource Center * CISO Resource Center * Find a Partner SUPPORT * Business Support Portal * Contact Us * Downloads * Free Trials * * ABOUT TREND * About Us * Careers * Locations * Upcoming Events * Trust Center * Country Headquarters Trend Micro - United States (US) 225 East John Carpenter Freeway Suite 1500 Irving, Texas 75062 Phone: +1 (817) 569-8900 Select a country / region United States expand_more close THE AMERICAS * United States * Brasil * Canada * México MIDDLE EAST & AFRICA * South Africa * Middle East and North Africa EUROPE * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Nederland * Norge (Norway) * Polska (Poland) * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom ASIA & PACIFIC * Australia * Центральная Азия (Central Asia) * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * Монголия (Mongolia) and рузия (Georgia) * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam Privacy | Legal | Accessibility | Site map Copyright ©2024 Trend Micro Incorporated. All rights reserved Copyright ©2024 Trend Micro Incorporated. All rights reserved sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk This website uses cookies for website functionality, traffic analytics, personalization, social media functionality and advertising. Our Cookie Notice provides more information and explains how to amend your cookie settings.Learn more Cookies Settings Accept ✓ Danke für das Teilen! AddToAny Mehr… word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 BDOW!