Names | SprySOCKS | |
Category | Malware | |
Type | Backdoor | |
Description | (Trend Micro) Analysis of the SprySOCKS backdoor reveals some interesting findings. The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware. Meanwhile, the structure of SprySOCKS’s command-and-control (C&C) protocol is similar to one used by the RedLeaves backdoor, a remote access trojan (RAT) reported to be infecting Windows machines. It consists of two components, the loader and the encrypted main payload. The loader is responsible for reading, decrypting, and running the main payload. | |
Information | <https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html> | |
Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/elf.spry_socks> |
Last change to this tool card: 13 October 2023
Download this tool card in JSON format
Previous: SPOONBEARD
Next: spwebmember
Changed | Name | Country | Observed | ||
APT groups | |||||
Earth Lusca | 2019-Sep 2024 |
1 group listed (1 APT, 0 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |