Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion

    Thursday, September 5, 2024 In: Threat Research Print

    Date: 09/05/2024

    Severity: Medium

    Summary

    Earth Lusca employs the KTLVdoor  backdoor to facilitate multiplatform intrusions. This sophisticated malware allows the group to gain persistent access and control over various operating systems, enhancing their ability to execute cyber espionage and gather sensitive information across different platforms.

    Indicators of Compromise (IOC) List

    IP Address

    39.105.121.123

    39.107.101.26

    47.94.223.124

    47.94.166.190

    59.110.136.109

    123.56.45.175

    123.57.223.22

    39.107.75.91

    182.92.101.4

    123.56.45.175

    123.57.223.22

    39.107.75.91

    182.92.101.4

    123.57.6.3

    39.107.67.131

    101.200.156.217

    182.92.155.149

    123.57.218.176

    47.99.78.41

    47.96.97.77

    47.96.5.136

    47.96.135.49

    116.62.120.97

    123.57.60.94

    39.105.107.130

    182.92.233.242

    47.94.229.250

    182.92.169.60

    47.96.160.242

    116.62.231.152

    47.96.13.99

    47.98.173.175

    47.97.109.62

    139.224.254.181

    139.224.45.232

    47.102.36.88

    47.101.43.111

    139.196.196.178

    123.57.60.94

    39.105.107.130

    182.92.233.242

    47.94.229.250

    182.92.169.60

    47.100.98.234

    106.14.175.235

    106.15.193.24

    47.100.121.195

    47.100.59.42

    47.100.160.164

    47.101.48.168

    47.101.137.187

    139.196.89.210

    106.15.90.75

    47.93.38.26

    39.106.135.228

    47.95.198.228

    101.201.68.58

    47.94.194.248

    182.92.243.166

    47.95.168.191

    47.98.121.179

    47.96.106.167

    116.62.142.53

    121.40.70.23

    118.31.53.137

    47.98.50.198

    39.106.40.121

    101.200.63.187

    101.201.35.96 

    39.107.231.100

    47.95.12.152

    47.94.20.102

    101.201.69.42

    47.94.202.137

    47.94.193.44

    47.94.227.15

    47.94.143.163

    39.106.13.202

    47.93.47.186

    59.110.226.246

    47.94.200.23

    Hash

    d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0

1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25

c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132

a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848

b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2

dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641

9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99

0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216

6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525

7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0

3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345

aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e

01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267

3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb

644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703

fcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7

c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d

20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951

d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1

fd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1

18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670

12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2

aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3

1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68

99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address

    Query 1

    dstipaddress IN ("39.105.121.123","39.107.101.26","47.94.223.124","47.94.166.190","59.110.136.109","123.56.45.175","123.57.223.22","39.107.75.91","182.92.101.4","123.56.45.175","123.57.223.22","39.107.75.91","182.92.101.4","123.57.6.3","39.107.67.131","101.200.156.217","182.92.155.149","123.57.218.176","47.99.78.41","47.96.97.77","47.96.5.136","47.96.135.49","116.62.120.97","123.57.60.94","39.105.107.130") or ipaddress IN ("39.105.121.123","39.107.101.26","47.94.223.124","47.94.166.190","59.110.136.109","123.56.45.175","123.57.223.22","39.107.75.91","182.92.101.4","123.56.45.175","123.57.223.22","39.107.75.91","182.92.101.4","123.57.6.3","39.107.67.131","101.200.156.217","182.92.155.149","123.57.218.176","47.99.78.41","47.96.97.77","47.96.5.136","47.96.135.49","116.62.120.97","123.57.60.94","39.105.107.130") or publicipaddress IN ("39.105.121.123","39.107.101.26","47.94.223.124","47.94.166.190","59.110.136.109","123.56.45.175","123.57.223.22","39.107.75.91","182.92.101.4","123.56.45.175","123.57.223.22","39.107.75.91","182.92.101.4","123.57.6.3","39.107.67.131","101.200.156.217","182.92.155.149","123.57.218.176","47.99.78.41","47.96.97.77","47.96.5.136","47.96.135.49","116.62.120.97","123.57.60.94","39.105.107.130") or srcipaddress IN ("39.105.121.123","39.107.101.26","47.94.223.124","47.94.166.190","59.110.136.109","123.56.45.175","123.57.223.22","39.107.75.91","182.92.101.4","123.56.45.175","123.57.223.22","39.107.75.91","182.92.101.4","123.57.6.3","39.107.67.131","101.200.156.217","182.92.155.149","123.57.218.176","47.99.78.41","47.96.97.77","47.96.5.136","47.96.135.49","116.62.120.97","123.57.60.94","39.105.107.130")

    IP Address

    Query 2

    dstipaddress IN ("182.92.233.242","47.94.229.250","182.92.169.60","47.96.160.242","116.62.231.152","47.96.13.99","47.98.173.175","47.97.109.62","139.224.254.181","139.224.45.232","47.102.36.88","47.101.43.111","139.196.196.178","123.57.60.94","39.105.107.130","182.92.233.242","47.94.229.250","182.92.169.60","47.100.98.234","106.14.175.235","106.15.193.24","47.100.121.195","47.100.59.42","47.100.160.164","47.101.48.168") or ipaddress IN ("182.92.233.242","47.94.229.250","182.92.169.60","47.96.160.242","116.62.231.152","47.96.13.99","47.98.173.175","47.97.109.62","139.224.254.181","139.224.45.232","47.102.36.88","47.101.43.111","139.196.196.178","123.57.60.94","39.105.107.130","182.92.233.242","47.94.229.250","182.92.169.60","47.100.98.234","106.14.175.235","106.15.193.24","47.100.121.195","47.100.59.42","47.100.160.164","47.101.48.168") or publicipaddress IN ("182.92.233.242","47.94.229.250","182.92.169.60","47.96.160.242","116.62.231.152","47.96.13.99","47.98.173.175","47.97.109.62","139.224.254.181","139.224.45.232","47.102.36.88","47.101.43.111","139.196.196.178","123.57.60.94","39.105.107.130","182.92.233.242","47.94.229.250","182.92.169.60","47.100.98.234","106.14.175.235","106.15.193.24","47.100.121.195","47.100.59.42","47.100.160.164","47.101.48.168") or srcipaddress IN ("182.92.233.242","47.94.229.250","182.92.169.60","47.96.160.242","116.62.231.152","47.96.13.99","47.98.173.175","47.97.109.62","139.224.254.181","139.224.45.232","47.102.36.88","47.101.43.111","139.196.196.178","123.57.60.94","39.105.107.130","182.92.233.242","47.94.229.250","182.92.169.60","47.100.98.234","106.14.175.235","106.15.193.24","47.100.121.195","47.100.59.42","47.100.160.164","47.101.48.168")

    IP Address

    Query 3

    dstipaddress IN ("47.101.137.187","139.196.89.210","106.15.90.75","47.93.38.26","39.106.135.228","47.95.198.228","101.201.68.58","47.94.194.248","182.92.243.166","47.95.168.191","47.98.121.179","47.96.106.167","116.62.142.53","121.40.70.23","118.31.53.137","47.98.50.198","39.106.40.121","101.200.63.187","101.201.35.96","39.107.231.100","47.95.12.152","47.94.20.102","101.201.69.42","47.94.202.137","47.94.193.44","47.94.227.15","47.94.143.163","39.106.13.202","47.93.47.186","59.110.226.246","47.94.200.23") or ipaddress IN ("47.101.137.187","139.196.89.210","106.15.90.75","47.93.38.26","39.106.135.228","47.95.198.228","101.201.68.58","47.94.194.248","182.92.243.166","47.95.168.191","47.98.121.179","47.96.106.167","116.62.142.53","121.40.70.23","118.31.53.137","47.98.50.198","39.106.40.121","101.200.63.187","101.201.35.96","39.107.231.100","47.95.12.152","47.94.20.102","101.201.69.42","47.94.202.137","47.94.193.44","47.94.227.15","47.94.143.163","39.106.13.202","47.93.47.186","59.110.226.246","47.94.200.23") or publicipaddress IN ("47.101.137.187","139.196.89.210","106.15.90.75","47.93.38.26","39.106.135.228","47.95.198.228","101.201.68.58","47.94.194.248","182.92.243.166","47.95.168.191","47.98.121.179","47.96.106.167","116.62.142.53","121.40.70.23","118.31.53.137","47.98.50.198","39.106.40.121","101.200.63.187","101.201.35.96","39.107.231.100","47.95.12.152","47.94.20.102","101.201.69.42","47.94.202.137","47.94.193.44","47.94.227.15","47.94.143.163","39.106.13.202","47.93.47.186","59.110.226.246","47.94.200.23") or srcipaddress IN ("47.101.137.187","139.196.89.210","106.15.90.75","47.93.38.26","39.106.135.228","47.95.198.228","101.201.68.58","47.94.194.248","182.92.243.166","47.95.168.191","47.98.121.179","47.96.106.167","116.62.142.53","121.40.70.23","118.31.53.137","47.98.50.198","39.106.40.121","101.200.63.187","101.201.35.96","39.107.231.100","47.95.12.152","47.94.20.102","101.201.69.42","47.94.202.137","47.94.193.44","47.94.227.15","47.94.143.163","39.106.13.202","47.93.47.186","59.110.226.246","47.94.200.23")

    Hash

    sha256hash IN ("d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0","1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25","c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132","a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848","b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2","dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641","9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99","0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216","6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525","7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0","3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345","aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e","01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267","3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb","644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703","FCF0CF8A19FA16792771310462D36F3C059ED7D36EF90899316313F4626D24D7","c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d","20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951","d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1","FD3205EDEF38248C059898274F5818ABBCB757ADB707CA47580D4B16772A38D1","18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670","12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2","aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3","1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68","99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404")

    Reference:

    https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html


    Tags

    MalwareBackdoorCyberEspionage

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.