In a significant development in the cybersecurity landscape, researchers have identified novel Windows versions of the SprySOCKS backdoor, originally thought to target only Linux systems. This expansion, noted by ESET, involves two previously undocumented variants named WIN_DRV and WIN_PLUS, which bring new levels of stealth to their operations.
Technical Breakdown of the New Variants
The Windows adaptations of SprySOCKS maintain many of the functionalities of their Linux predecessors, supporting over 30 commands for tasks such as system information gathering, process management, and file operations. Unique to the WIN_DRV variant is the use of kernel drivers to conceal various malware activities, enhancing its stealth capabilities significantly.
Further distinguishing the WIN_DRV variant is its ability to divert TCP traffic, enabling operators to communicate covertly with the backdoor through random ports, thereby masking its presence on infected networks.
Origins and Attribution of SprySOCKS
Initially documented by Trend Micro in September 2023, SprySOCKS has been linked to Earth Lusca, a state-sponsored threat group from China also known as Aquatic Panda and Bronze University. This group, believed to have been active since 2021, has been involved in cyber espionage activities worldwide under the FishMonger banner, targeting organizations across several countries.
SprySOCKS shares lineage with Trochilus, a Windows remote access trojan, and has code overlaps with RedLeaves, suggesting a common development framework with other Chinese threat actors like Webworm.
Execution Chains and Deployment
The WIN_DRV variant, part of SprySOCKS version 1.8, employs a kernel driver named RawWNPF for advanced stealth operations. This driver is activated through an encrypted loader, DriverLoader, which is part of a sophisticated attack chain that includes exploiting known vulnerabilities in widely-used software platforms.
Meanwhile, the WIN_PLUS variant adopts a different strategy, utilizing the Windows Print Spooler service to launch a loader that injects the SprySOCKS backdoor into a newly formed process, enhancing its execution stealth.
Implications and Future Outlook
The emergence of SprySOCKS on Windows platforms underscores the evolving tactics of cyber threat actors, emphasizing the need for robust cybersecurity measures. ESET’s discovery highlights the growing cross-platform capabilities of malware like SprySOCKS, which now presents a more versatile threat landscape.
As these developments unfold, cybersecurity experts stress the importance of continuous monitoring and updating of security protocols to safeguard against such sophisticated threats. The ongoing evolution of SprySOCKS suggests that threat actors will continue to innovate, challenging defenders to stay vigilant.
