Per The Hacker News, cybersecurity researchers at ESET have identified two new Windows variants of the SprySOCKS backdoor, previously believed to be exclusively for Linux systems. These new versions, internally designated WIN_DRV and WIN_PLUS, significantly expand the cross-platform capabilities of the threat actor.The Windows variants, WIN_DRV and WIN_PLUS, retain the core architecture of their Linux predecessor, including command-and-control (C2) protocols and encryption methods. They support communication over TCP, UDP, and WebSocket, and can execute over 30 commands for system information gathering, process management, and file operations. WIN_DRV utilizes kernel drivers for enhanced stealth, concealing network connections, processes, and registry keys. It also features TCP traffic diversion to mask its listening port. WIN_PLUS, conversely, exploits the Windows Print Spooler service to load the backdoor.These variants are attributed to the Earth Lusca threat group, also known as FishMonger, linked to state-sponsored cyber espionage activities. Evidence suggests these Windows versions may have been deployed between 2023 and 2024, targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan. The initial access vector remains undetermined, though past exploits of vulnerabilities in Fortinet, GitLab, and Microsoft Exchange have been noted.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds