More about SprySOCKS
In the campaign, the attackers used a Linux variant of the ELF injector called mandibule to drop SprySOCKS.
- The backdoor employs the ‘HP-Socket’ networking framework known for its high performance, while it employs AES-ECB encryption for securing its TCP communications with the C2 server.
- This innovative malware possesses several key functions, including gathering system information, initiating an interactive shell that utilizes the PTY subsystem, enumerating network connections, and managing SOCKS proxy configurations.
- Additionally, it is capable of executing fundamental file operations, which encompass uploading, downloading, listing, deleting, renaming, and creating directories.
Tracing the malware’s origin
- The malware borrows much of its source code from Trochilus open-source Windows backdoor.
- The malware’s implementation of the interactive shell appears to be inspired by the Linux variant of Derusbi malware.
- The structure of SprySOCK’s C2 protocol is similar to the one used by the RedLeaves backdoor.
Earth Lusca’s recent activity
- Currently, the group is attempting to exploit several n-day RCE vulnerabilities dated between 2019 and 2022 to compromise public-facing servers.
- These flaws are abused to deploy a web shell and install a Cobalt Strike beacon for lateral movement.
- During the later stages of infection, the group intends to exfiltrate documents and email account credentials and deploy advanced backdoors such as ShadowPad and the Linux variant of Winnti.
Researchers have identified two different versions of backdoor malware, indicating that it is still under development. While organizations must proactively manage their attack surface and minimize the potential entry points into their systems, they can take requisite actions by looking at the IOCs associated with the campaign.