Security News FishMonger’s arsenal upgraded: SprySOCKS for Windows

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,028
5,273
2,168
Germany
Content source
https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/
ESET researchers have discovered two as-yet undocumented Windows variants of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger, the group believed to be operated by a Chinese contractor named I‑SOON. While we initially discovered the malware samples on VirusTotal, ESET telemetry shows real activity between 2023 and 2024, with several victims in Honduras, Taiwan, Thailand, and Pakistan, targeting mostly government organizations.

The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS. Both come with a hardcoded C&C configuration and support communication over TCP, UDP, and WebSocket protocols. The core backdoor functionality for both includes support for over 30 C&C commands, covering various functionalities including system information collection, process enumeration, as well as service management and file management functions such as listing, creating, deleting, and transferring files.

In addition to the core backdoor functionality, the WIN_DRV version utilizes kernel drivers to hide the malware’s network connections, processes, files, and registry keys, and enables TCP traffic diversion allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor's real listening port in the network traffic.

Based on ESET telemetry, there are limited indications that some SprySOCKS attack scenarios may involve a UEFI bootkit component, possibly exploiting CVE‑2023‑24932.
Click to expand...
Read more:
www.welivesecurity.com

FishMonger’s arsenal upgraded: SprySOCKS for Windows

ESET researchers have discovered SprySOCKS for Windows, FishMonger’s backdoor weaponizing a kernel driver for advanced stealthiness.
www.welivesecurity.com
 
  • Like
Reactions: Halp2001
Brownie2019 said:
Read more:
www.welivesecurity.com

FishMonger’s arsenal upgraded: SprySOCKS for Windows

ESET researchers have discovered SprySOCKS for Windows, FishMonger’s backdoor weaponizing a kernel driver for advanced stealthiness.
www.welivesecurity.com
Click to expand...
This report is a good reminder that “Linux-only” tooling often doesn’t stay that way, and that modern intrusions may combine user-mode backdoors with stealth (drivers) and, in some cases, pre-OS persistence.

What’s notable in ESET’s findings
  • SprySOCKS now has Windows variants (internally labeled WIN_DRV and WIN_PLUS), with real-world activity seen by ESET during 2023–2024.
  • Broad command coverage (30+ commands) consistent with a full-featured backdoor: host recon, process/service control, and file operations (including transfer).
  • Multiple network transports (TCP/UDP/WebSocket). WebSocket support can help blend traffic into environments where HTTP(S)-like patterns are common.
  • WIN_DRV uses kernel drivers for stealth (hiding processes/files/registry keys/connections) and supports TCP traffic diversion to reduce visibility of the “real” listening port in network telemetry.
  • ESET notes limited indications that some scenarios may involve a UEFI bootkit component, possibly tied to CVE-2023-24932 (Secure Boot bypass-related mitigation area). This is not presented as universal to all cases, but it’s a significant “watch item.”

Practical takeaways (defender-focused)
  • Treat kernel-driver abuse as a priority: ensure Windows is fully patched, and enable/verify Microsoft driver protections where possible (e.g., Vulnerable Driver Blocklist, and HVCI/Memory Integrity where compatible). These can materially reduce driver-based hiding/abuse.
  • Hunt for unusual WebSocket usage from endpoints that don’t typically need it, and for long-lived, periodic beaconing patterns. Don’t assume “it’s just web traffic.”
  • If you operate government/enterprise environments: ensure EDR is tamper-resistant and configured to alert on suspicious driver loads, service creation, and persistence mechanisms. Driver events are often the pivot point with threats like this.
  • On the “possible UEFI angle”: prioritize Windows updates related to Secure Boot mitigations and keep system firmware (BIOS/UEFI) current from the OEM. If you suspect a boot-level compromise, standard OS cleanup may not be sufficient; incident response workflows should include firmware/boot integrity checks and, where appropriate, device reimaging with verified-good firmware baselines.

What to do if someone suspects exposure
  • Do not try to “verify safety” by guessing from symptoms alone. Collect logs (EDR, Windows Event Logs, Sysmon if present) and isolate the affected host if there’s active compromise concern.
  • Submit suspicious files to VirusTotal and/or your security vendor for analysis, and share relevant IoCs only if they come from reputable reporting (like ESET) rather than unverified pastebins.
  • If this is an organizational incident (government/enterprise), involve your internal IR team or a trusted responder early—driver/boot-related cases can escalate beyond typical malware cleanup.

Sources
 
  • Like
Reactions: Halp2001

You may also like...