TLDR: New Cross-Platform Malware KTLVdoor Discovered
Key Points:
- Chinese-speaking threat actor Earth Lusca used a new backdoor named KTLVdoor in an attack on a trading company in China.
- KTLVdoor is written in Golang, making it a cross-platform malware targeting both Windows and Linux systems.
In a recent cyber attack on a Chinese trading company, researchers discovered a new cross-platform malware called KTLVdoor. The malware, written in Golang, is highly obfuscated and masquerades as various system utilities like sshd, Java, and bash. It allows attackers to carry out tasks such as file manipulation, command execution, and remote port scanning.
The malware communicates with over 50 command-and-control servers hosted at Chinese company Alibaba, indicating a possibility of shared infrastructure with other Chinese threat actors. Earth Lusca, the threat actor behind the attack, has been active since 2021 and is known for targeting entities globally.
KTLVdoor, the latest addition to Earth Lusca’s arsenal, utilizes a configuration file with a “KTLV” marker to connect to C&C servers in China. The malware supports commands for file operations, shell execution, and scanning capabilities like ScanTCP and ScanRDP.
While not much is known about the distribution of KTLVdoor or its target scope, researchers believe it could be used by other Chinese-speaking threat actors as well. The presence of the C&C servers at Alibaba raises questions about the early testing stages of this new malware.