Back

Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion

Sept. 4, 2024, 9:55 a.m.

Tags

golang
2024-09-04
ktlvdoor

External References

https://www.trendmicro.com/

https://otx.alienvault.com/

Description

A new multiplatform backdoor named KTLVdoor, written in Golang with versions for Windows and Linux, has been discovered during monitoring of the Chinese-speaking threat actor Earth Lusca. This highly obfuscated malware impersonates system utilities and allows attackers to control infected systems, manipulate files, and gather information. The campaign involves over 50 C&C servers hosted in China, potentially shared with other threat actors. KTLVdoor uses sophisticated encryption and obfuscation techniques, including a custom TLV-like configuration format and AES-GCM encryption for C&C communication. The malware's capabilities include file operations, command execution, port scanning, and proxy functionality.

Date

Published Created Modified
Sept. 4, 2024, 9:22 a.m. Sept. 4, 2024, 9:22 a.m. Sept. 4, 2024, 9:55 a.m.

Indicators

fd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1

fcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7

dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641

d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0

d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1

d095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e

c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d

c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132

b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2

aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3

aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e

a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848

9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99

99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404

7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0

6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525

644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703

3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb

3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345

20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951

19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154

18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670

1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68

12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2

1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25

0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216

01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267

59.110.226.246

59.110.136.109

47.99.78.41

47.98.50.198

47.98.173.175

47.97.109.62

47.96.97.77

47.96.5.136

47.96.160.242

47.96.135.49

47.96.13.99

47.96.106.167

47.95.198.228

47.95.12.152

47.95.168.191

47.94.229.250

47.94.223.124

47.94.227.15

47.94.202.137

47.94.200.23

47.94.20.102

47.94.194.248

47.94.166.190

47.94.143.163

47.94.193.44

47.93.47.186

47.93.38.26

47.102.36.88

47.101.48.168

47.101.43.111

47.100.98.234

47.100.59.42

47.100.160.164

47.100.121.195

39.107.75.91

39.107.67.131

39.107.231.100

39.107.101.26

39.106.40.121

39.106.13.202

39.106.135.228

39.105.121.123

39.105.107.130

182.92.243.166

182.92.169.60

182.92.155.149

139.224.45.232

182.92.101.4

139.224.254.181

139.196.89.210

139.196.196.178

123.57.6.3

123.57.60.94

123.57.223.22

123.57.218.176

121.40.70.23

123.56.45.175

118.31.53.137

116.62.231.152

116.62.142.53

106.15.90.75

106.15.193.24

106.14.175.235

101.201.69.42

101.201.68.58

101.201.35.96

101.200.63.187

47.98.121.179

47.101.137.187

101.200.156.217

116.62.120.97

182.92.233.242

http://59.110.226.246:443

http://59.110.136.109:9999

http://47.99.78.41:443

http://47.98.50.198:80

http://47.98.173.175:443

http://47.98.121.179:443

http://47.97.109.62:443

http://47.96.97.77:443

http://47.96.5.136:443

http://47.96.160.242:443

http://47.96.135.49:443

http://47.96.13.99:443

http://47.96.106.167:443

http://47.95.198.228:53

http://47.95.168.191:80

http://47.95.12.152:53

http://47.94.229.250:8081

http://47.94.229.250:443

http://47.94.227.15:443

http://47.94.223.124:9999

http://47.94.202.137:443

http://47.94.200.23:443

http://47.94.20.102:443

http://47.94.194.248:53

http://47.94.193.44:443

http://47.94.166.190:9999

http://47.94.143.163:443

http://47.93.47.186:443

http://47.93.38.26:53

http://47.102.36.88:53

http://47.101.48.168:80

http://47.101.43.111:53

http://47.101.137.187:8032

http://47.100.98.234:443

http://47.100.59.42:443

http://47.100.121.195:443

http://47.100.160.164:80

http://39.107.75.91:81

http://39.107.75.91:443

http://39.107.67.131:81

http://39.107.231.100:53

http://39.107.101.26:9999

http://39.106.40.121:53

http://39.106.135.228:53

http://39.106.13.202:443

http://39.105.121.123:9999

http://39.105.107.130:8081

http://39.105.107.130:443

http://182.92.243.166:1433

http://182.92.233.242:8081

http://182.92.233.242:443

http://182.92.169.60:8081

http://182.92.169.60:443

http://182.92.155.149:81

http://182.92.101.4:81

http://182.92.101.4:443

http://139.224.45.232:53

http://139.224.254.181:53

http://139.196.89.210:80

http://139.196.196.178:53

http://123.57.60.94:8081

http://123.57.60.94:443

http://123.57.6.3:81

http://123.57.223.22:81

http://123.57.223.22:443

http://123.57.218.176:81

http://123.56.45.175:81

http://123.56.45.175:443

http://121.40.70.23:443

http://118.31.53.137:443

http://116.62.231.152:443

http://116.62.142.53:443

http://116.62.120.97:443

http://106.15.90.75:80

http://106.15.193.24:443

http://106.14.175.235:443

http://101.201.69.42:443

http://101.201.68.58:53

http://101.201.35.96:53

http://101.200.63.187:53

http://101.200.156.217:81

Attack Patterns

KTLVdoor

Earth Lusca

T1021.002

T1505.003

T1021.001

T1124

T1027.002

T1571

T1070.006

T1016

T1082

T1057

T1105

T1083

T1055

T1046

T1036

T1033

T1027

T1090

T1078

Additional Informations

Finance

China