Cybersecurity researchers have identified two previously undocumented Windows variants of the SprySOCKS backdoor, a malware initially believed to target only Linux systems. These new versions, internally labeled as WIN_DRV and WIN_PLUS, come equipped with hard-coded command-and-control (C&C) configurations and support communication over TCP, UDP, and WebSocket protocols.
Both variants offer over 30 commands facilitating tasks such as system information collection, process enumeration, service management, and file system operations. Notably, WIN_DRV employs kernel drivers to conceal the malware’s network connections, processes, files, and registry keys. This variant also enables TCP traffic diversion, allowing operators to send commands through random TCP ports on the infected device without revealing the backdoor’s actual listening port in network traffic.
SprySOCKS was first publicly documented in September 2023 and attributed to a China-linked state-sponsored threat actor known as Earth Lusca. This group, active since at least 2021, is also tracked under various monikers, including Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. Earth Lusca has been associated with cyber espionage campaigns targeting organizations worldwide.
The Windows variants are part of SprySOCKS version 1.8. The WIN_DRV sample utilizes a kernel driver named RawWNPF for advanced stealth, loaded via another encrypted driver called DriverLoader. The attack chain involves an initial access method that drops a batch script, creating and executing a scheduled task to trigger a DLL side-loading chain, ultimately deploying the SprySOCKS backdoor and its driver components. Previously, the group has exploited known vulnerabilities in public-facing Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra instances to gain initial access.
These developments underscore the evolving tactics of state-sponsored threat actors in enhancing malware capabilities and stealth. The expansion of SprySOCKS to Windows platforms, coupled with the use of kernel drivers for concealment, highlights the need for robust cybersecurity measures and vigilance against sophisticated cyber threats.
