ESET found Windows variants of the SprySOCKS backdoor used in attacks against government organizations in Taiwan, Thailand, Pakistan, and Honduras, and attributed the activity to Earth Lusca. The malware adds kernel-level stealth, multiple persistence methods, and TCP traffic diversion, with possible links to a UEFI bootkit component tied to CVE-2023-24932. #SprySOCKS #EarthLusca #FishMonger #AquaticPanda #RedDev10 #TAG22 #CVE202324932 #BlackLotus
Keypoints
- Windows versions of SprySOCKS were used against government targets in four countries.
- ESET attributes the campaign with high confidence to Earth Lusca, also known as FishMonger.
- The Windows variants add kernel-level stealth and traffic redirection capabilities.
- WIN_DRV and WIN_PLUS use different persistence methods and support many C2 commands.
- Telemetry suggests a possible UEFI bootkit component, but no strong BlackLotus link was confirmed.