Executive Summary
Between 2023 and 2024, the Chinese state-sponsored threat group Earth Lusca, also known as FishMonger, expanded its cyber espionage operations by deploying Windows variants of the previously Linux-based SprySOCKS malware. These sophisticated backdoors targeted government organizations in Taiwan, Thailand, Pakistan, and Honduras, focusing on sectors such as foreign affairs, technology, and telecommunications. The Windows versions, identified as WIN_DRV and WIN_PLUS, introduced advanced capabilities including kernel-level stealth mechanisms, enabling the malware to hide processes, network connections, and files, thereby evading detection. Both variants support over 30 command-and-control commands, facilitate communication over multiple protocols, and possess functionalities like keystroke logging and SOCKS proxy support.
The emergence of these Windows variants underscores a significant evolution in Earth Lusca's tactics, highlighting the group's commitment to enhancing its toolset for broader and more effective cyber espionage campaigns. This development reflects a broader trend among nation-state actors to adapt and refine their malware to target diverse operating systems, emphasizing the need for organizations to implement comprehensive, cross-platform cybersecurity measures.
Why This Matters Now
The deployment of Windows variants of SprySOCKS by Earth Lusca signifies an escalation in cyber espionage tactics, emphasizing the urgent need for organizations to bolster their defenses against increasingly sophisticated and cross-platform threats.
Attack Path Analysis
Earth Lusca initiated attacks by exploiting vulnerabilities in public-facing servers to deploy the SprySOCKS backdoor. Upon gaining access, they utilized kernel-level drivers to escalate privileges, enabling deeper system control. The attackers then moved laterally within the network, leveraging the backdoor's capabilities to access additional systems. They established command and control channels over TCP, UDP, and WebSocket protocols to manage compromised hosts. Sensitive data was exfiltrated using the backdoor's file management and SOCKS proxy functionalities. The impact included unauthorized access to confidential government information and potential disruption of operations.
Kill Chain Progression
Initial Compromise
Description
Earth Lusca exploited vulnerabilities in public-facing servers to deploy the SprySOCKS backdoor.
Related CVEs
CVE-2023-24932
CVSS 6.7A vulnerability in the Secure Boot component of Windows allows an attacker with administrative privileges or physical access to bypass Secure Boot protections, potentially enabling the execution of untrusted code during the boot process.
Affected Products:
Microsoft Windows 10 – 1507, 1607, 1809, 20H2, 21H2, 22H2
Microsoft Windows 11 – 21H2, 22H2
Microsoft Windows Server – 2008, 2012, 2016, 2019, 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Process Injection: Dynamic-link Library Injection
Proxy
Command and Scripting Interpreter: PowerShell
Process Discovery
Screen Capture
Access Token Manipulation
Account Discovery: Local Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Network and Environment Segmentation
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Primary target of SprySOCKS Windows malware campaign by Earth Lusca APT group, requiring enhanced zero trust segmentation and east-west traffic monitoring.
Telecommunications
Targeted sector vulnerable to encrypted traffic exfiltration and lateral movement through network infrastructure, necessitating inline IPS and egress security controls.
Information Technology/IT
Critical exposure through kernel-level rootkit capabilities and UEFI bootkit components requiring multicloud visibility, threat detection, and Kubernetes security implementations.
Defense/Space
High-risk sector facing sophisticated APT espionage operations targeting foreign affairs technology, demanding comprehensive encrypted traffic protection and anomaly response capabilities.
Sources
- Windows version of SprySOCKS Linux malware used to attack govt orgshttps://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/Verified
- SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detectionhttps://www.darkreading.com/threat-intelligence/sprysocks-windows-variant-kernel-driversVerified
- Guidance related to Secure Boot Manager changes associated with CVE-2023-24932https://www.microsoft.com/en-us/msrc/blog/2023/05/guidance-related-to-secure-boot-manager-changes-associated-with-cve-2023-24932Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command channels, and exfiltrate data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in public-facing servers would likely be constrained, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and gain deeper system control would likely be constrained, limiting their access scope.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely be constrained, reducing their ability to access additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, limiting their management of compromised hosts.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.
The attacker's ability to access confidential information and disrupt operations would likely be constrained, reducing the overall impact.
Impact at a Glance
Affected Business Functions
- Foreign Affairs Communications
- Technology Infrastructure
- Telecommunications Services
Estimated downtime: 7 days
Estimated loss: $500,000
Confidential government communications and sensitive technological data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch public-facing servers to mitigate known vulnerabilities.
