Chinese Hackers Hit Telcos with New Linux and Windows Malware

Key Takeaways

• Calypso threat group has targeted telecom providers since mid-2022 using telecom-themed domains to impersonate victims
• Showboat Linux malware acts as a SOCKS5 proxy to pivot through compromised networks
• JFMBackdoor Windows implant includes reverse shell, screenshot capture, and anti-forensics capabilities

Security researchers have uncovered a Chinese cyber-espionage campaign targeting telecommunications companies with two newly discovered malware strains. The operation, attributed to a threat group called Calypso (also tracked as Red Lamassu), has been active since at least mid-2022.

According to joint research from Lumen's Black Lotus Labs and PwC Threat Intelligence, the attackers set up multiple telecom-themed domains to impersonate their targets. Organizations across the Asia Pacific and Middle East regions have been affected.

The campaign uses two distinct malware tools: Showboat (also called kworker) for Linux systems, and JFMBackdoor for Windows environments. Both are designed for long-term persistence and network infiltration.

Showboat: The Linux Side of the Attack

Showboat is a modular post-exploitation framework built for Linux systems. Once deployed on a target machine, it collects information about the host and sends it to a command-and-control server. The initial infection method remains unknown.

The malware can upload or download files, hide its own process, and establish persistence by creating a new service. Its most notable feature is how it conceals itself.

“One notable feature is the 'hide' command, which enables a process to conceal itself on a host machine by retrieving code stored on external websites such as Pastebin or online forums for use as a 'dead drop'.”

— Lumen's Black Lotus Labs researchers

Showboat's primary function is acting as a SOCKS5 proxy and port-forwarding pivot point. This lets attackers use compromised endpoints as footholds to move laterally through internal networks and reach systems that would otherwise be inaccessible from outside.

JFMBackdoor: Full-Featured Windows Espionage

PwC Threat Intelligence analyzed the Windows infection chain. It starts with the execution of a batch script that drops payloads to stage a DLL-sideloading procedure using fltMC.exe and FLTLIB.dll. The final payload is JFMBackdoor.

JFMBackdoor is a comprehensive espionage implant with an extensive feature set. The researchers documented the following capabilities:

• Reverse shell access for remote command execution
• File management including upload, download, modify, move, and delete operations
• TCP proxying to use victim systems as network relays into internal infrastructure
• Process and service management to start, stop, create, or kill system processes
• Registry manipulation to modify Windows registry keys and values
• Screenshot capture with encryption for exfiltration
• Encrypted configuration management for storing and updating malware settings
• Self-removal and anti-forensics to hide activity and delete traces

Why Telecom Providers Are Prime Targets

Telecommunications companies hold a unique position in espionage operations. They manage the infrastructure through which vast amounts of communications flow. Compromising a telco can give attackers access to call records, text messages, and internet traffic of thousands or millions of users without needing to compromise individual devices.

The use of telecom-themed domains to impersonate targets suggests Calypso researched their victims carefully. This kind of social engineering makes phishing emails and malicious infrastructure more convincing to employees who handle network operations daily.

Detection and Defense

The Showboat malware's use of legitimate services like Pastebin as dead drops makes detection harder. Security teams should monitor for unusual outbound connections to code-sharing and paste sites, especially from servers that should not need such access.

For Windows environments, the DLL-sideloading technique using fltMC.exe is a known attack vector. Monitoring for unexpected child processes from this legitimate Windows binary can help identify intrusions.

Both malware strains emphasize persistence and stealth over immediate impact. Organizations in the telecommunications sector should assume they are targets and conduct regular threat hunting exercises focused on the indicators of compromise shared by the researchers.

Frequently Asked Questions

Who is behind the Showboat and JFMBackdoor malware?

The malware is attributed to Calypso, a Chinese cyber-espionage group also tracked as Red Lamassu by security researchers.

Which regions are targeted by this telecom hacking campaign?

Organizations across the Asia Pacific and parts of the Middle East have been targeted since mid-2022.

How does Showboat malware hide itself on Linux systems?

Showboat retrieves concealment code from external websites like Pastebin, using them as 'dead drops' to help hide its process on infected machines.

What can JFMBackdoor do on infected Windows systems?

JFMBackdoor provides reverse shell access, file management, TCP proxying, registry manipulation, screenshot capture, and anti-forensics capabilities.

Why do hackers target telecommunications companies?

Telcos manage infrastructure through which massive amounts of communications flow. Compromising them can give attackers access to call records, messages, and traffic of millions of users.

Source: BleepingComputer