Full Report
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News. "Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP,
Analysis Summary
# Tool/Technique: SprySOCKS (Windows Variants: WIN_DRV and WIN_PLUS)
## Overview
SprySOCKS is a sophisticated backdoor previously identified as a Linux-exclusive piece of malware. Recent intelligence has uncovered two Windows-specific variants, internally designated as **WIN_DRV** and **WIN_PLUS**. These variants allow threat actors to establish persistent command-and-control (C2) communication, exfiltrate data, and execute arbitrary commands on compromised Windows environments.
## Technical Details
- **Type**: Malware family (Backdoor)
- **Platform**: Windows (Newly discovered), Linux (Original)
- **Capabilities**: Multi-protocol C2 communication (TCP, UDP), remote command execution, file system manipulation, system reconnaissance.
- **First Seen**: Reported by ESET in late 2024 (Windows variants).
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- T1571 - Non-Standard Port
- T1095 - Non-Application Layer Protocol (TCP/UDP)
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
## Functionality
### Core Capabilities
- **Multi-Protocol C2**: Hard-coded configuration supporting communication over TCP and UDP protocols to maintain connectivity with remote servers.
- **Interactive Shell**: Provides attackers with a remote command-line interface on the infected host.
- **File Management**: Capabilities to upload, download, and delete files from the local filesystem.
### Advanced Features
- **Variant Specialization**:
- **WIN_DRV**: Likely focused on persistence or interaction at a driver/system level (pending deeper forensic analysis).
- **WIN_PLUS**: An enhanced version with an expanded feature set compared to the base Linux version.
- **Internal Versioning**: The presence of internal strings (WIN_DRV/WIN_PLUS) suggests a structured development lifecycle and modular approach by the authors.
## Indicators of Compromise
*Note: Specific hashes and IPs are based on the ESET findings referenced in the context.*
- **File Hashes**: *(Example hashes - consult official ESET report for full list)*
- SHA256: [Pending specific hash from full ESET disclosure]
- **File Names**:
- Often masquerades as legitimate Windows system drivers or utilities.
- **Network Indicators**:
- [C2 Domains]: hxxp[:]//[redacted-c2-domain][.]com
- [IP Addresses]: 1.2.3[.]4 (Defanged)
- **Behavioral Indicators**:
- Unexpected network traffic on non-standard TCP/UDP ports.
- Creation of unauthorized Windows services.
## Associated Threat Actors
- **Earth Lusca** (also known as TAG-22): This group has historically utilized the Linux version of SprySOCKS and is the primary suspect for the development of the Windows variants.
## Detection Methods
- **Signature-based detection**: Antivirus and EDR solutions updated with signatures for the "WIN_DRV" and "WIN_PLUS" strings.
- **Behavioral detection**: Monitoring for unusual parent-child process relationships (e.g., a system service spawning `cmd.exe`) and anomalous outbound UDP traffic.
- **YARA rules**: Focused on the hard-coded configuration block structure and internal version constants.
## Mitigation Strategies
- **Network Segmentation**: Restrict outbound traffic on non-standard ports to prevent C2 check-ins.
- **Endpoint Hardening**: Implement Least Privilege principles to prevent the installation of unauthorized system services/drivers.
- **Monitoring**: Deploy EDR tools to monitor for suspicious process injections or unexpected file writes in `%System32%`.
## Related Tools/Techniques
- **Trojan.Linux.SprySOCKS**: The original Linux iteration of this backdoor.
- **ShadowPad**: Often found in the toolkits of actors who utilize SprySOCKS.
- **Cobalt Strike**: Frequently used alongside custom backdoors for lateral movement.