The SprySOCKS malware family has expanded its reach to Windows platforms, with two new variants discovered by ESET researchers. The WIN_DRV and WIN_PLUS variants leverage kernel-level drivers to enhance stealth and persistence capabilities, allowing attackers to maintain persistent access, conduct covert surveillance, and evade traditional security defenses.
What Happened
The discovery of the Windows variants of SprySOCKS marks a significant expansion of the malware family's reach. The WIN_DRV and WIN_PLUS variants were found to have been used in attacks targeting government organizations in at least four countries, including Taiwan, Thailand, Pakistan, and Honduras. ESET researchers attribute the activity with high confidence to the Earth Lusca threat actor, also known as FishMonger.
The two Windows variants of SprySOCKS are internally marked as WIN_DRV and WIN_PLUS, and both come with a hardcoded C&C configuration and support communication over TCP, UDP, and WebSocket protocols. The WIN_DRV variant uses a kernel driver named RawWNPF to hide the malware's network connections, running processes, files, and registry keys from any tool operating at the user level.
Background and Context
SprySOCKS is a backdoor malware family that has been linked to the Chinese threat group Earth Lusca. The Linux variant of SprySOCKS was first documented by Trend Micro in September 2023, and ESET researchers have now discovered two previously undocumented Windows versions of the same malware family.
The Linux variant of SprySOCKS uses a command-and-control protocol that is similar to the one used by the Windows variants. The malware also uses encryption and has a wide range of capabilities, including system reconnaissance, process and service management, file operations, and SOCKS proxy setup.
Why It Matters to the Industry
The discovery of the Windows variants of SprySOCKS highlights the growing threat of advanced persistent threats (APTs) in the adult industry. APTs are sophisticated cyber-espionage groups that use advanced tools and techniques to conduct covert surveillance and gather sensitive information.
The use of kernel-level drivers by the WIN_DRV variant makes it particularly difficult for security software to detect and remove the malware. This is because kernel-mode components have direct access to system resources, making them harder to detect and analyze.
What Comes Next
The discovery of the Windows variants of SprySOCKS serves as a reminder that adult industry platforms and operators must remain vigilant in their security efforts. The use of advanced threat detection tools and techniques can help identify and mitigate the risk posed by APTs like FishMonger.
Key Facts
- The SprySOCKS malware family has expanded its reach to Windows platforms with two new variants, WIN_DRV and WIN_PLUS.
- The WIN_DRV variant uses a kernel driver named RawWNPF to hide the malware's network connections, running processes, files, and registry keys.
- ESET researchers attribute the activity with high confidence to the Earth Lusca threat actor, also known as FishMonger.
- The Linux variant of SprySOCKS uses a command-and-control protocol that is similar to the one used by the Windows variants.
- The malware has a wide range of capabilities, including system reconnaissance, process and service management, file operations, and SOCKS proxy setup.
- The use of kernel-level drivers by the WIN_DRV variant makes it particularly difficult for security software to detect and remove the malware.