GoKawiilA Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively.
The operation has been active since at least mid-2022 and targeted organizations across the Asia Pacific and parts of the Middle East. It was attributed to the Calypso threat group, also tracked as Red Lamassu.
According to researchers at Lumen's Black Lotus Labs and PwC Threat Intelligence, the threat actor set up and used multiple telecom-themed domains to impersonate their targets.
The Showboat Linux malware
The Linux implant Calypso uses in these attacks, dubbed Showboat/kworker, is a modular post-exploitation framework built to for long-term persistence after initial compromise. The initial infection vector is unknown.
According to a report today from Black Lotus Labs, once Showboat is deployed on a target system, it starts collecting information about the host and sends it to a command-and-control (C2) server.
The malware can also upload or download files, hide its own process, and establish persistence via a new service.
“One notable feature is the 'hide' command, which enables a process to conceal itself on a host machine by retrieving code stored on external websites such as Pastebin or online forums for use as a ‘dead drop’, Lumen's Black Lotus Labs researchers explain.
Pastebin page used in the attacks
Source: Lumen
... continue reading