SprySOCKS

Description

(Trend Micro) Analysis of the SprySOCKS backdoor reveals some interesting findings. The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.

Meanwhile, the structure of SprySOCKS’s command-and-control (C&C) protocol is similar to one used by the RedLeaves backdoor, a remote access trojan (RAT) reported to be infecting Windows machines. It consists of two components, the loader and the encrypted main payload. The loader is responsible for reading, decrypting, and running the main payload.

Names

Name
SprySOCKS

Type

Backdoor

Information

https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/elf.spry_socks

Other Information

Uuid

13243f5b-af8f-4cca-92d0-fda5be8c437a

Last Card Change

2023-10-13

Threat Intelligence Garden

Explorer

SprySOCKS

SprySOCKS

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks