### **Earth Lusca** Leverages Windows for Espionage New research from **ESET** reveals that the Chinese advanced persistent threat (APT) group, **Earth Lusca** (also tracked as **FishMonger**, **Aquatic Panda**, and **Red Dev 10**), has been deploying Windows variants of its **SprySOCKS** malware. These new versions were observed in attacks between 2023 and 2024, targeting government entities in Taiwan, Thailand, Pakistan, and Honduras. Initially, **SprySOCKS** was identified as a Linux-based backdoor used by **Earth Lusca** against government organizations focused on foreign affairs, technology, and telecommunications. The discovery of Windows variants signifies a broadening of the group's operational scope and target systems. ### Enhanced Stealth with Kernel-Level Capabilities Unlike its Linux predecessor, the Windows variants incorporate kernel-level stealth functionalities. This allows the operators to conceal malware artifacts and establish communication with the backdoor through traffic redirected from arbitrary TCP ports, making detection significantly more challenging. **ESET** categorizes the Windows variants into two main types: * **WIN_DRV**: Features kernel drivers for rootkit-like capabilities. * **WIN_PLUS**: A more streamlined backdoor. Both variants share a common set of powerful features: * Communication over TCP, UDP, and WebSocket protocols. * Support for over 30 command-and-control (C2) commands. * Comprehensive system information collection. * Process and service enumeration and management. * File system manipulation (list, create, delete, upload, download, copy, rename, execute). * SOCKS proxy functionality, operating as both client and server. * Keylogging, clipboard content capture, and active window title logging.  ### Deep Dive into WIN_DRV's Rootkit Features The **WIN_DRV** variant stands out due to its ability to load a driver named 'RawWNPF' directly into memory. This driver is loaded via another kernel driver, 'DriverLoader' (fsdiskbit.sys), which is signed using a leaked certificate from the **GitHub PastDSE** project. This driver enables sophisticated evasion tactics, including: * Hiding processes through Windows API manipulation. * Concealing network connections. * Obscuring files from directory listings. * Hiding malicious Registry key entries used for persistence. Persistence for **WIN_DRV** is achieved via scheduled tasks and Image File Execution Options (IFEO) through `vds.exe`. For **WIN_PLUS**, persistence is maintained by registering the payload as a Windows Print Processor (VSPMsg). A notable feature across these variants is the ability to inspect incoming TCP traffic and redirect specially crafted packets to the **SprySOCKS** backdoor. This allows for communication without exposing the listening port, significantly enhancing the malware's stealth. As **ESET** explains, "The WIN_DRV version […] enables TCP traffic diversion allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor's real listening port in the network traffic."  ### Potential UEFI Bootkit Link **ESET** telemetry also indicated the potential presence of a UEFI bootkit component, which might exploit **CVE-2023-24932**. This Secure Boot flaw was previously exploited as a zero-day by the **BlackLotus** UEFI malware. While further details and strong evidence to confirm a direct link to **BlackLotus** were not provided, this suggests an even deeper level of compromise could be at play. ### Implications for IT Security Professionals While these Windows variants of **SprySOCKS** are not newly developed, their discovery underscores **Earth Lusca's** evolving capabilities and its commitment to diversifying its attack vectors. Organizations, particularly those in government and critical infrastructure, must review the detailed technical analysis and Indicators of Compromise (IoCs) provided in **ESET's** report to bolster their defenses against this sophisticated threat. This expansion of **Earth Lusca's** arsenal highlights the persistent and adapting nature of state-sponsored cyber espionage, necessitating continuous vigilance and advanced detection strategies from cybersecurity teams worldwide.