www.it-connect.fr
Windows Versions of SprySOCKS Malware Target Government Agencies
The SprySOCKS malware has been used by a Chinese cyberespionage group to target government organizations since at least 2023. Here’s what we know about this threat.
SprySOCKS is a new example of malware capable of targeting both Linux and Windows machines. Previously known as a Linux-specific threat attributed to the Chinese group Earth Lusca, it is now going after Windows as well. In fact, a new report published by ESET researchers describes the use of a Windows variant of SprySOCK to target government agencies in Taiwan, Thailand, Pakistan, and Honduras.
According to ESET, the same cybercriminal group is behind these attacks: Earth Lusca, an actor it tracks under the name FishMonger. These new variants were discovered through files uploaded to VirusTotal. However, ESET telemetry data revealed that the first incidents date back to 2023 - 2024. Even though the information is being disclosed today, the Windows SprySOCK threat is not that recent.
Two Windows variants, one common goal: espionage
Where the previously documented Linux version remained relatively conventional, the Windows versions add kernel-level stealth capabilities. During their analysis, researchers identified two distinct variants:
- WIN_DRV, a backdoor that includes kernel drivers giving it rootkit-like capabilities (notably by exploiting CVE‑2023‑24932),
- WIN_PLUS, a more basic backdoor.
The WIN_DRV-loading variant is notable for loading a driver called RawWNPF into memory, itself deployed by another kernel driver named DriverLoader (fsdiskbit.sys). "To make the driver work at least on some outdated or misconfigured systems, the attackers used a leaked certificate available on GitHub in the PastDSE project repository, and used it to sign the fsdiskbit.sys driver.", the researchers said.
On the infected machine, persistence does not rely on the same mechanisms for these two variants. WIN_DRV uses a scheduled task and the vds.exe tool, while WIN_PLUS registers itself as a Windows print processor.
Despite their differences, these two variants share a common set of features:
- Communication over TCP, UDP, and WebSocket,
- Support for more than 30 commands to receive instructions from C2 servers,
- System information gathering,
- Process and service enumeration, with the ability to interact with them,
- Full file manipulation,
- Acting as a SOCKS proxy,
- Acting as a keylogger (recording keystrokes) and capturing clipboard contents.
With all of these actions, the malware can remain stealthy while still being able to collect and exfiltrate sensitive information.
ESET specifies that WIN_DRV "also enables TCP traffic hijacking, allowing malware operators to send commands to the backdoor via a random TCP port on the victim's device, without revealing the backdoor's real listening port in network traffic."
Find more information in the ESET report.
