Derusbi

Malware updated 4 months ago (2024-05-04T20:19:35.930Z)

Download STIX

Preview STIX

Derusbi is a sophisticated malware family known for its ability to target both Linux and Windows systems. It has been predominantly associated with Chinese cyber espionage operations since 2008, making it a significant concern in the realm of cybersecurity. The malware primarily functions as a tool for gaining and maintaining remote access to targeted systems, enabling attackers to steal sensitive information, conduct reconnaissance, and perform other malicious activities. Its unique structure of network communication and distinctive techniques have made it stand out among other malware families. A notable feature of Derusbi is its use of the LD_PRELOAD technique to load a malicious shared object library that exports PAM APIs. This technique allows the malware to infiltrate system processes and execute harmful actions without being detected. Furthermore, Derusbi implements an interactive shell, which is believed to be inspired by the Linux variant of the malware. This shell provides the attacker with a command-line interface to the compromised system, further enhancing their control over the victim's machine. Recent analyses of new backdoor malware variants have revealed striking similarities to Derusbi, suggesting that these newer threats may have drawn inspiration from or had direct access to Derusbi's source code. In particular, the implementation of the SprySOCKS' interactive shell in the Earth Lusca malware and others appears to be based on the Linux variant of Derusbi. These findings underscore the enduring influence of Derusbi in the evolving landscape of cyber threats.

Description last updated: 2024-05-04T19:34:59.809Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Linux

Backdoor

Windows

Reconnaissance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Sprysocks	Unspecified	2	SprySOCKS is a new strain of malware that has recently been added to the arsenal of Earth Lusca, an advanced persistent threat (APT) group known for its sophisticated cyberattacks. Malware, short for malicious software, is designed to exploit and damage computers or devices without the user's knowle

Source Document References

Information about the Derusbi Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
SecurityIntelligence.com	2 years ago	Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
Unit42	10 months ago	When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief
Checkpoint	a year ago	25th September – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Hackers Deployed never-before-seen Linux Malware Attacking Government Entities
DARKReading	a year ago	China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign
Securityaffairs	a year ago	Earth Lusca expands its arsenal with SprySOCKS Linux malware
Trend Micro	a year ago	Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
CERT-EU	a year ago	New SprySOCKS Linux malware used in cyber espionage attacks
MITRE	2 years ago	Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries \| Mandiant
MITRE	2 years ago	New Attacks Linked to C0d0so0 Group
MITRE	2 years ago	Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole
MITRE	2 years ago	Introducing Hi-Zor RAT