ESET says the China-linked group used two Windows SprySOCKS variants against government targets in four countries, adding rootkit features, traffic diversion, and SOCKS proxy support.
Researchers at ESET said June 16 that the China-linked threat group Earth Lusca used Windows variants of SprySOCKS against government organizations in Taiwan, Thailand, Pakistan, and Honduras from 2023 to 2024.
ESET tracks the group as FishMonger. Other researchers use Aquatic Panda, Red Dev 10, and TAG-22 for related activity. ESET said the group has targeted organizations tied to foreign affairs, technology, and telecommunications.
Researchers knew SprySOCKS from Linux intrusions. Windows defenders now need to hunt the same backdoor across Microsoft estates, with special focus on kernel drivers, scheduled tasks, print processor abuse, and network traffic that hides the real command channel.
Two Windows variants
Operators use WIN_DRV for kernel-level hiding. They use WIN_PLUS as a smaller backdoor with the same core command set.
ESET counted more than 30 command-and-control commands. Operators can use both variants to communicate over TCP, UDP, and WebSocket; collect system details; manage processes and services; move files; run commands; proxy traffic with SOCKS; and log keystrokes, clipboard content, and active window titles.
Kernel hiding and persistence
ESET said WIN_DRV operators load a driver named RawWNPF into memory through DriverLoader, a kernel driver stored as fsdiskbit.sys. Attackers used a leaked certificate tied to the GitHub PastDSE project to sign DriverLoader.
After the attackers load RawWNPF, they hide processes from Windows API results, conceal network connections, remove files from directory listings, and hide Windows Registry entries that keep the malware running after reboot.
Attackers maintain WIN_DRV access with scheduled tasks and Image File Execution Options through vds.exe. For WIN_PLUS, they register the payload as a Windows Print Processor named VSPMsg. MITRE ATT&CK documents Image File Execution Options injection and Print Processors.
Traffic diversion
Attackers also inspect inbound TCP traffic and redirect crafted packets to the SprySOCKS backdoor. ESET said attackers can route commands "through a random TCP port" on the victim’s device while they keep the backdoor’s real listening port out of normal network views.
Defenders may see a clean port list while the attacker talks to the backdoor through traffic aimed at another service. A rootkit can intercept packets before user-mode network tools display the hidden listener.
Bootkit lead
ESET analysts also saw signs of a UEFI bootkit component that may exploit CVE-2023-24932, a Secure Boot flaw. Attackers behind BlackLotus used that flaw as a zero-day, according to prior reporting.
ESET left the bootkit link as a lead because its report did not include evidence tying the SprySOCKS activity to BlackLotus.
Defensive actions
Security teams should hunt across Windows and Linux hosts. Use the indicators from ESET’s full report through ESET Research, then map detections to driver loading, persistence keys, and network redirection.
Review scheduled tasks, IFEO debugger keys, and print processor registrations. Hunt for RawWNPF and fsdiskbit.sys. Compare process lists and directory listings from user-mode tools against endpoint detection and response telemetry that can see kernel tampering.
Monitor inbound TCP traffic for packets that reach exposed services but trigger process or socket activity tied to an unknown backdoor. Windows administrators should confirm Microsoft Secure Boot mitigations for CVE-2023-24932 on systems that support them.
Incident responders should preserve memory before they reboot suspect hosts. WIN_DRV uses in-memory driver loading, and a reboot can erase evidence that explains how the attacker hid files, sockets, and processes.
Comments
Please log in or register to join the discussion