CTI Roundup: Emansrepo Infostealer and Earth Lusca Multiplatform Backdoor

In this week’s roundup, CTI investigates a python infostealer called Emansrepo which spreads over email and has three different attack chains. Next up, CTI looks at a recent Palo Alto report which covers 19 top-level domains (TLDs) that were released in the last year. Finally, CTI wraps up with an overview of KTLVdoor, which is a new multiplatform backdoor from the Chinese-speaking threat actor known as Earth Lusca.

1. Emansrepo Stealer spreads via email

Researchers at Fortinet recently observed a Python infostealer called Emansrepo which spreads through emails containing fake purchase orders and invoices.

According to Fortinet, the malware compresses data from browsers and files before exfiltrating it. This campaign has been active since November 2023.

Emansrepo’s attack chains

Researchers observed three different Emansrepo attack chains between July and August 2024. Based on their findings, the campaign’s attack flows appear to be increasing in complexity.

• The first chain contains an email attachment with a dropper pretending to be a download page. According to Fortinet, it creates a link element which points to the data of “Purchase-Order.7z,” uses the click() method to “download” the 7z file, and then redirects to an unrelated website. The zipped file also contains an AutoIT-compiled executable containing python modules for stealing information.
• In the second chain, the email contains a ZIP file with an HTA file. It uses a JavaScript-based source file to download a PowerShell script for the next stage.
• The third chain involves a phishing email with a link to an obfuscated batch file. This will download and execute the PowerShell script.

Emansrepo’s malware

The infostealer stores the stolen data in temporary folders, sends the data to the threat actor, and then deletes the information.

The malware will attempt to collect a variety of information like login data, credit card information, browsing history, and downloads. It will then copy PDF files from the Desktop, Document, Downloads, and Recents folders and compress folders for browser extensions, crypto wallets, and more. The malware will also copy cookie files and zip the data.

Analyst comments from Tanium’s Cyber Threat Intelligence team

In addition to continuously evolving the attack chain, the actor is using more than one chain at a time — or at least pivoting very quickly from one to the next.

Fortunately, the attack chains all appear to begin with phishing emails that use the common purchase order/ invoice lure, which is often included in security awareness training material.

2. Palo Alto sheds light on top-level domains in new report

In its latest report, Palo Alto looks at 19 new top-level domains (TLDs) that were released over the last year.

Their investigation reveals multiple large-scale phishing campaigns, as well as the distribution of potentially unwanted programs. There also appears to be a correlation between the general availability date of the new TLDs and their popularity.

TLD rollout phases

The report indicates that TLDs roll out in phases. Each TLD is tracked in an authoritative database — or registry — and must be approved for release.

After approval, they go through multiple phases including sunrise, landrush, early access, and general availability.

• During the mandatory sunrise phase, registration is only available to those with a validated trademark record.
• In the landrush phase, registration is open to the public for specific or premium domain names. Sometimes they result in an auction.
• Some TLDs will go through an early access period in which people can register a domain at a premium price ahead of the official launch.
• Lastly, the TLD moves to general availability and becomes available to the public.
• Data sources

Palo Alto’s research focuses on 19 TLDs that have either been released recently or are in one of the above-mentioned phases ahead of general availability. The TLDs include .bot, .box, .case, .channel, .dad, .esq, .foo, .ing, .lifestyle, .living, .meme, .mov, .music, .nexus, .phd, .prof, .vana, .watches, and .zip.

Case studies

Palo Alto used a graph-based detection system to analyze domains, extract related data, and generate visualizations. Researchers fed each graph through a clustering process to look for commonalities. The results reveal large-scale phishing attacks, the distribution of potentially unwanted programs (PUPs), pranking or meme campaigns, and torrenting websites.

One activity cluster revealed a lure that tricks victims into scanning a QR code. The attack attempts to get the victim to begin texting and tries to introduce them to various scams, spam, and data harvesting campaigns. Altogether, 92 domains belonging to the .”bot” TLD were used in this campaign.

Additional case studies and identified campaigns can be found in Palo Alto’s report.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Palo Alto’s analysis reveals some interesting points. For example, it confirms that actors tend to monitor and exploit the changing threat landscape by leveraging major news stories, new technologies, emerging vulnerabilities, and new TLDs.

Their research also proves how quickly threat actors can weaponize and abuse TLDs as they are created. As such, it is important to be vigilant with all domains, especially those that seem suspicious.

3. Earth Lusca deploys a new multiplatform backdoor

According to a recent report from Trend Micro, the Chinese-speaking threat actor known as Earth Lusca is now using a new multiplatform backdoor called KTLVdoor.

The backdoor, which masquerades as different system utilities, was observed in a large-scale attack involving more than 50 C2 servers. At this point, researchers have only identified one confirmed target of the operation, which is a trading company based in China.

KTLVdoor malware analysis

The new backdoor is heavily obfuscated and pretends to be different system utilities. Actors use this tool for multiple tasks including file manipulation, command execution, and remote port scanning. Researchers have discovered a Windows and Linux version of the malware.

• Malware obfuscation: As noted, this malware is heavily obfuscated. Trend Micro notes that many embedded strings are unreadable, symbols are stripped, and most functions and packages have been renamed to random-looking strings.
• Configuration: The malware’s first step is to initialize the agent’s configuration parameters which are XOR-encrypted and Base64-encoded. The file format is a custom TLV-live format with “KTLV” prepended. Part of the configuration structure is the HostInfo structure that contains parameters about the infected machine including things like username, IP, hostname, process name, OS, disks, uptime, sleep time, and more.
• Connection settings: The C2 servers are stored as the “connect” value which is AES-GCM-encrypted and Base64-encoded.
• Communication: After successful initialization, the agent will begin a communication loop with a C2 server. This communication sends and receives messages that are GZIP-compressed and encrypted. The messages can be delivered in simplex or duplex mode.
• Receiving tasks: The agent will implement handlers to process tasks it receives from the C2. These handlers are for things like downloading and uploading files, launching interactive shells, and more.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Trend Micro discovered more than 50 C2 servers, which is exceedingly high — especially with only one confirmed target. This could indicate early testing is taking place.

The tool is believed to be connected to Earth Lusca, which is a Chinese-speaking actor. But since Chinese-speaking actors often share tooling, it’s possible that the tool will become more widespread in the future.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.