Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion

Sept. 4, 2024, 9:55 a.m.

Description

A new multiplatform backdoor named KTLVdoor, written in Golang with versions for Windows and Linux, has been discovered during monitoring of the Chinese-speaking threat actor Earth Lusca. This highly obfuscated malware impersonates system utilities and allows attackers to control infected systems, manipulate files, and gather information. The campaign involves over 50 C&C servers hosted in China, potentially shared with other threat actors. KTLVdoor uses sophisticated encryption and obfuscation techniques, including a custom TLV-like configuration format and AES-GCM encryption for C&C communication. The malware's capabilities include file operations, command execution, port scanning, and proxy functionality.

External References

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion--/Indicators%20of%20Compromise%20-%20Earth%20Lusca%20Uses%20KTLVdoor%20Backdoor%20for%20Multiplatform%20Intrusion.txt
https://otx.alienvault.com/pulse/66d826f2f61254f51a48bbe7
Tags
golang
2024-09-04
ktlvdoor

Date

  • Created: Sept. 4, 2024, 9:22 a.m.
  • Published: Sept. 4, 2024, 9:22 a.m.
  • Modified: Sept. 4, 2024, 9:55 a.m.

Indicators

  • fd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1
  • fcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7
  • dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641
  • d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0
  • d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1
  • d095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e
  • c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d
  • c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132
  • b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2
  • aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3
  • aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e
  • a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848
  • 9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99
  • 99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404
  • 7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0
  • 6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525
  • 644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703
  • 3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb
  • 3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345
  • 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
  • 19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154
  • 18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670
  • 1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68
  • 12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2
  • 1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25
  • 0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216
  • 01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267
  • 59.110.226.246
  • 59.110.136.109
  • 47.99.78.41
  • 47.98.50.198
  • 47.98.173.175
  • 47.97.109.62
  • 47.96.97.77
  • 47.96.5.136
  • 47.96.160.242
  • 47.96.135.49
  • 47.96.13.99
  • 47.96.106.167
  • 47.95.198.228
  • 47.95.12.152
  • 47.95.168.191
  • 47.94.229.250
  • 47.94.223.124
  • 47.94.227.15
  • 47.94.202.137
  • 47.94.200.23
  • 47.94.20.102
  • 47.94.194.248
  • 47.94.166.190
  • 47.94.143.163
  • 47.94.193.44
  • 47.93.47.186
  • 47.93.38.26
  • 47.102.36.88
  • 47.101.48.168
  • 47.101.43.111
  • 47.100.98.234
  • 47.100.59.42
  • 47.100.160.164
  • 47.100.121.195
  • 39.107.75.91
  • 39.107.67.131
  • 39.107.231.100
  • 39.107.101.26
  • 39.106.40.121
  • 39.106.13.202
  • 39.106.135.228
  • 39.105.121.123
  • 39.105.107.130
  • 182.92.243.166
  • 182.92.169.60
  • 182.92.155.149
  • 139.224.45.232
  • 182.92.101.4
  • 139.224.254.181
  • 139.196.89.210
  • 139.196.196.178
  • 123.57.6.3
  • 123.57.60.94
  • 123.57.223.22
  • 123.57.218.176
  • 121.40.70.23
  • 123.56.45.175
  • 118.31.53.137
  • 116.62.231.152
  • 116.62.142.53
  • 106.15.90.75
  • 106.15.193.24
  • 106.14.175.235
  • 101.201.69.42
  • 101.201.68.58
  • 101.201.35.96
  • 101.200.63.187
  • 47.98.121.179
  • 47.101.137.187
  • 101.200.156.217
  • 116.62.120.97
  • 182.92.233.242
  • http://59.110.226.246:443
  • http://59.110.136.109:9999
  • http://47.99.78.41:443
  • http://47.98.50.198:80
  • http://47.98.173.175:443
  • http://47.98.121.179:443
  • http://47.97.109.62:443
  • http://47.96.97.77:443
  • http://47.96.5.136:443
  • http://47.96.160.242:443
  • http://47.96.135.49:443
  • http://47.96.13.99:443
  • http://47.96.106.167:443
  • http://47.95.198.228:53
  • http://47.95.168.191:80
  • http://47.95.12.152:53
  • http://47.94.229.250:8081
  • http://47.94.229.250:443
  • http://47.94.227.15:443
  • http://47.94.223.124:9999
  • http://47.94.202.137:443
  • http://47.94.200.23:443
  • http://47.94.20.102:443
  • http://47.94.194.248:53
  • http://47.94.193.44:443
  • http://47.94.166.190:9999
  • http://47.94.143.163:443
  • http://47.93.47.186:443
  • http://47.93.38.26:53
  • http://47.102.36.88:53
  • http://47.101.48.168:80
  • http://47.101.43.111:53
  • http://47.101.137.187:8032
  • http://47.100.98.234:443
  • http://47.100.59.42:443
  • http://47.100.121.195:443
  • http://47.100.160.164:80
  • http://39.107.75.91:81
  • http://39.107.75.91:443
  • http://39.107.67.131:81
  • http://39.107.231.100:53
  • http://39.107.101.26:9999
  • http://39.106.40.121:53
  • http://39.106.135.228:53
  • http://39.106.13.202:443
  • http://39.105.121.123:9999
  • http://39.105.107.130:8081
  • http://39.105.107.130:443
  • http://182.92.243.166:1433
  • http://182.92.233.242:8081
  • http://182.92.233.242:443
  • http://182.92.169.60:8081
  • http://182.92.169.60:443
  • http://182.92.155.149:81
  • http://182.92.101.4:81
  • http://182.92.101.4:443
  • http://139.224.45.232:53
  • http://139.224.254.181:53
  • http://139.196.89.210:80
  • http://139.196.196.178:53
  • http://123.57.60.94:8081
  • http://123.57.60.94:443
  • http://123.57.6.3:81
  • http://123.57.223.22:81
  • http://123.57.223.22:443
  • http://123.57.218.176:81
  • http://123.56.45.175:81
  • http://123.56.45.175:443
  • http://121.40.70.23:443
  • http://118.31.53.137:443
  • http://116.62.231.152:443
  • http://116.62.142.53:443
  • http://116.62.120.97:443
  • http://106.15.90.75:80
  • http://106.15.193.24:443
  • http://106.14.175.235:443
  • http://101.201.69.42:443
  • http://101.201.68.58:53
  • http://101.201.35.96:53
  • http://101.200.63.187:53
  • http://101.200.156.217:81
Download all indicators here!

Attack Patterns

  • KTLVdoor
  • Earth Lusca

Additional Informations

  • Finance
  • China