Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
Sept. 4, 2024, 9:55 a.m.
Tags
External References
Description
A new multiplatform backdoor named KTLVdoor, written in Golang with versions for Windows and Linux, has been discovered during monitoring of the Chinese-speaking threat actor Earth Lusca. This highly obfuscated malware impersonates system utilities and allows attackers to control infected systems, manipulate files, and gather information. The campaign involves over 50 C&C servers hosted in China, potentially shared with other threat actors. KTLVdoor uses sophisticated encryption and obfuscation techniques, including a custom TLV-like configuration format and AES-GCM encryption for C&C communication. The malware's capabilities include file operations, command execution, port scanning, and proxy functionality.
Date
Published: Sept. 4, 2024, 9:22 a.m.
Created: Sept. 4, 2024, 9:22 a.m.
Modified: Sept. 4, 2024, 9:55 a.m.
Indicators
fd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1
fcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7
dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641
d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0
d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1
d095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e
c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d
c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132
b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2
aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3
aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e
a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848
9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99
99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404
7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0
6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525
644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703
3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb
3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345
20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154
18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670
1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68
12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2
1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25
0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216
01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267
59.110.226.246
59.110.136.109
47.99.78.41
47.98.50.198
47.98.173.175
47.97.109.62
47.96.97.77
47.96.5.136
47.96.160.242
47.96.135.49
47.96.13.99
47.96.106.167
47.95.198.228
47.95.12.152
47.95.168.191
47.94.229.250
47.94.223.124
47.94.227.15
47.94.202.137
47.94.200.23
47.94.20.102
47.94.194.248
47.94.166.190
47.94.143.163
47.94.193.44
47.93.47.186
47.93.38.26
47.102.36.88
47.101.48.168
47.101.43.111
47.100.98.234
47.100.59.42
47.100.160.164
47.100.121.195
39.107.75.91
39.107.67.131
39.107.231.100
39.107.101.26
39.106.40.121
39.106.13.202
39.106.135.228
39.105.121.123
39.105.107.130
182.92.243.166
182.92.169.60
182.92.155.149
139.224.45.232
182.92.101.4
139.224.254.181
139.196.89.210
139.196.196.178
123.57.6.3
123.57.60.94
123.57.223.22
123.57.218.176
121.40.70.23
123.56.45.175
118.31.53.137
116.62.231.152
116.62.142.53
106.15.90.75
106.15.193.24
106.14.175.235
101.201.69.42
101.201.68.58
101.201.35.96
101.200.63.187
47.98.121.179
47.101.137.187
101.200.156.217
116.62.120.97
182.92.233.242
http://59.110.226.246:443
http://59.110.136.109:9999
http://47.99.78.41:443
http://47.98.50.198:80
http://47.98.173.175:443
http://47.98.121.179:443
http://47.97.109.62:443
http://47.96.97.77:443
http://47.96.5.136:443
http://47.96.160.242:443
http://47.96.135.49:443
http://47.96.13.99:443
http://47.96.106.167:443
http://47.95.198.228:53
http://47.95.168.191:80
http://47.95.12.152:53
http://47.94.229.250:8081
http://47.94.229.250:443
http://47.94.227.15:443
http://47.94.223.124:9999
http://47.94.202.137:443
http://47.94.200.23:443
http://47.94.20.102:443
http://47.94.194.248:53
http://47.94.193.44:443
http://47.94.166.190:9999
http://47.94.143.163:443
http://47.93.47.186:443
http://47.93.38.26:53
http://47.102.36.88:53
http://47.101.48.168:80
http://47.101.43.111:53
http://47.101.137.187:8032
http://47.100.98.234:443
http://47.100.59.42:443
http://47.100.121.195:443
http://47.100.160.164:80
http://39.107.75.91:81
http://39.107.75.91:443
http://39.107.67.131:81
http://39.107.231.100:53
http://39.107.101.26:9999
http://39.106.40.121:53
http://39.106.135.228:53
http://39.106.13.202:443
http://39.105.121.123:9999
http://39.105.107.130:8081
http://39.105.107.130:443
http://182.92.243.166:1433
http://182.92.233.242:8081
http://182.92.233.242:443
http://182.92.169.60:8081
http://182.92.169.60:443
http://182.92.155.149:81
http://182.92.101.4:81
http://182.92.101.4:443
http://139.224.45.232:53
http://139.224.254.181:53
http://139.196.89.210:80
http://139.196.196.178:53
http://123.57.60.94:8081
http://123.57.60.94:443
http://123.57.6.3:81
http://123.57.223.22:81
http://123.57.223.22:443
http://123.57.218.176:81
http://123.56.45.175:81
http://123.56.45.175:443
http://121.40.70.23:443
http://118.31.53.137:443
http://116.62.231.152:443
http://116.62.142.53:443
http://116.62.120.97:443
http://106.15.90.75:80
http://106.15.193.24:443
http://106.14.175.235:443
http://101.201.69.42:443
http://101.201.68.58:53
http://101.201.35.96:53
http://101.200.63.187:53
http://101.200.156.217:81
Attack Patterns
KTLVdoor
Earth Lusca
T1021.002
T1505.003
T1021.001
T1124
T1027.002
T1571
T1070.006
T1016
T1082
T1057
T1105
T1083
T1055
T1046
T1036
T1033
T1027
T1090
T1078
Additional Informations
Finance
China