ESET researchers have found two as-yet undocumented Home windows variants of SprySOCKS, a beforehand Linux-only backdoor reportedly utilized by FishMonger, the group believed to be operated by a Chinese language contractor named I‑SOON. Whereas we initially found the malware samples on VirusTotal, ESET telemetry exhibits actual exercise between 2023 and 2024, with a number of victims in Honduras, Taiwan, Thailand, and Pakistan, concentrating on principally authorities organizations.
The Home windows variants found are internally marked as WIN_DRV and WIN_PLUS. Each include a hardcoded C&C configuration and help communication over TCP, UDP, and WebSocket protocols. The core backdoor performance for each consists of help for over 30 C&C instructions, overlaying varied functionalities together with system data assortment, course of enumeration, in addition to service administration and file administration capabilities akin to itemizing, creating, deleting, and transferring recordsdata.
Along with the core backdoor performance, the WIN_DRV model makes use of kernel drivers to cover the malware’s community connections, processes, recordsdata, and registry keys, and allows TCP site visitors diversion permitting the malware operators to ship instructions to the backdoor by way of a random TCP port on the sufferer’s gadget with out exposing the backdoor’s actual listening port within the community site visitors.
Based mostly on ESET telemetry, there are restricted indications that some SprySOCKS assault eventualities could contain a UEFI bootkit element, presumably exploiting CVE‑2023‑24932.
The evaluation supplied on this report leads us to attribute these new, Home windows variants to FishMonger with excessive confidence.
Key factors of this blogpost:
- We found two beforehand undocumented Home windows variants of FishMonger’s SprySOCKS backdoor.
- ESET telemetry exhibits exercise between 2023 and 2024, primarily concentrating on authorities organizations in Honduras, Taiwan, Thailand, and Pakistan.
- Each Home windows variants help communication over TCP, UDP, and WebSocket protocols, and implement over 30 instructions.
- The WIN_DRV variant creates a stealthy passive TCP backdoor, counting on a kernel driver to redirect site visitors to the backdoor’s hidden TCP port at any time when specifically crafted knowledge is detected inside a acquired TCP packet.
FishMonger profile
FishMonger – believed to be operated by a Chinese language contractor named I‑SOON (see our This autumn 2023–Q1 2024 APT Exercise Report) – is a cyberespionage group that falls beneath the Winnti Group umbrella and is most probably working out of China, from town of Chengdu. It’s also often called Earth Lusca, TAG-22, Aquatic Panda, or Pink Dev 10. We revealed an evaluation of FishMonger in early 2020 when it closely focused universities in Hong Kong through the civic protests that began in June 2019. The group can be identified to function watering-hole assaults, as reported by Development Micro. FishMonger’s toolset consists of ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.
Technical evaluation
On this part, we offer a technical evaluation of those new, Home windows variants of FishMonger’s SprySOCKS backdoor.
The archive that led us to this discovery was uploaded to VirusTotal in April 2024 beneath the identify klelam00007.zip; its contents are proven in Determine 1.
This archive incorporates varied recordsdata, together with official ones used to host DLL side-loading, and three suspicious-looking, encrypted recordsdata with .dat extensions. Our subsequent evaluation revealed that these encrypted recordsdata include a brand new, beforehand undocumented Home windows variant of FishMonger’s SprySOCKS backdoor, labeled WIN_DRV by its builders. Additional investigation revealed a further backdoor model, labeled WIN_PLUS, in ESET Telemetry.
Preliminary entry
FishMonger has been identified for concentrating on the public-facing servers of its victims, usually exploiting server-based N-day vulnerabilities, to realize preliminary entry. Whereas we weren’t capable of verify the precise method FishMonger obtained into its victims’ programs on this marketing campaign, the presence of a server working system on a few of the sufferer units together with FishMonger’s typical modus operandi recommend that the attackers could effectively have gotten in by way of misconfigured or unpatched public-facing functions.
SprySOCKS for Home windows
In September 2023, Development Micro revealed a report a few new FishMonger Linux backdoor that its analysts named SprySOCKS. The code of the backdoor is predicated on an open-source Home windows distant entry trojan (RAT) named Trochilus, and shares a number of frequent traits with the RedLeaves backdoor; however, it was prolonged and modified sufficient to be thought of a brand new backdoor. On this report, we analyze two as but undisclosed Home windows variants of v1.8 of SprySOCKS:
- One has been named WIN_DRV by its builders and makes use of a kernel driver for superior stealth.
- One other, with out the driving force, is known as WIN_PLUS.
As proven in Determine 2, the backdoor model sort and quantity are hardcoded within the binary.
The overwhelming majority of artifacts and performance current within the Linux model of the SprySOCKS backdoor launched in Development Micro’s report can be discovered within the newly found Home windows SprySOCKS variants described on this report. These embrace:
- the identical C&C message format,
- very related C&C instructions (plus some further ones),
- the identical encryption keys and algorithms, and
- the usage of the identical statically linked networking library (HP-Socket).
For each of those new SprySOCKS variants, the core backdoor performance involving C&C communication and accessible instructions could be very related. Essentially the most notable variations will be noticed in the best way the ultimate backdoor is loaded, within the improved stealthiness, and within the element names and paths used.
Within the following subsections, we first analyze parts concerned within the execution chain of particular person SprySOCKS variants, after which we describe the backdoor element, which is usually the identical for each variants.
WIN_DRV parts
In an archive uploaded to VirusTotal, we found the WIN_DRV model of SprySOCKS, which comes with an empty C&C configuration. Because of this, this model doesn’t actively contact any distant addresses; nevertheless, it’s nonetheless able to launching a TCP server on a random port on the sufferer’s gadget, thus appearing as a passive backdoor. Apparently, the attackers don’t must know this server’s TCP port quantity as a result of, as defined later, the RawWNPF driver utilized by the WIN_DRV model permits silent diversion – to the backdoor itself – of TCP site visitors acquired on any open port (extra within the RawWNPF driver part).
As proven in Determine 1, the archive containing the WIN_DRV model of SprySOCKS incorporates a number of recordsdata:
- klelam00007.bat – a batch script accountable for persisting the backdoor. As proven in Determine 3, it:
○ copies all recordsdata from the present working listing into the %SystemRootpercentFonts listing (to perform correctly, the batch file must be deployed in the identical listing as the remainder of the recordsdata from the archive),
○ creates a scheduled process named ApphostRagistreationVerifier, configured to execute ApphostRagistreationVerifier.exe (which is a official, validly signed executable, renamed by the attackers to imitate the official Microsoft-signed AppHostRegistrationVerifier.exe) with NT AUTHORITYSYSTEM privileges on each system begin. The attackers use the well-known DLL side-loading method, making the most of the best way Home windows masses DLLs, to load their very own malicious DLL (on this case tpsvcloc.dll) through the use of a official, signed software. To be particular, on this case the attackers use Malware Sideloading through MFC Satellite tv for pc DLLs method (notice the loc string within the tpsvcloc.dll filename),
- ApphostRagistreationVerifier.exe – a official, ThinPrint’ AutoConnect printer creation service signed executable (SHA‑1: FFC3AA7909D4E72C360D65A1F45260DFFE5C99B7) that masses the tpsvc.dll library,
- tpsvc.dll – a official, signed library that masses the tpsvcloc.dll library,
- tpsvcloc.dll – the SprySOCKS backdoor loader,
- X1B5206BDC1743DD.dat – an encrypted container comprising the SprySOCKS backdoor and copies of the subsequent two recordsdata,
- KX1B5206BDC1743DD.dat – DriverLoader, an encrypted kernel driver accountable for loading one other kernel driver from KW1B5206BDC1743FP.dat, and
- KW1B5206BDC1743FP.dat – RawWNPF, an encrypted kernel driver accountable for hiding the backdoor’s recordsdata and community exercise.
Determine 4 depicts the execution chain of the SprySOCKS WIN_DRV variant.
The next three subsections present technical analyses of the aforementioned parts: SprySOCKS loader, DriverLoader driver, and RawWNPF driver.
SprySOCKS loader
The loader begins with preliminary checks for the presence of a digital surroundings and some safety merchandise. It seems for particular libraries (particularly: snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, and SbieDll.dll) within the loader’s course of, and exits if it finds any of them.
As the subsequent step, it verifies whether or not persistence was set efficiently by the klelam00007.bat script, from Determine 3. To take action, it checks whether or not the present loader’s picture was loaded from the %SystemRootpercentFonts listing, and tries to entry the %SystemRootpercentFontsX1B5206BDC1743DD.dat, %SystemRootpercentFontstpsvc.dll, and %SystemRootpercentFontstpsvcloc.dll recordsdata. If it finds that any of those recordsdata are usually not the place they’re speculated to be, it units up persistence by itself by:
- copying X1B5206BDC1743DD.dat, tpsvc.dll, tpsvcloc.dll, and ApphostRagistreationVerifier.exe from the present working listing into the %SystemRootpercentFonts listing,
- registering the %SystemRootpercentFontsApphostRagistreationVerifier.exe software as a debugger for vds.exe (a Digital Disk Service that may be mechanically executed on system begin) by writing the applying’s path into the registry worth HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger, and
- dropping the affair-build.bat file into the %SystemRootpercentFonts listing after which executing it through cmd.exe. This script, proven in Determine 5, clears traces of this course of by eradicating recordsdata from the deployment listing and executing the malware once more (now from %SystemRootpercentFonts) by restarting the vds service.
When persistence is about, the loader continues with loading payloads from an encrypted container situated at %SystemRootpercentFontsX1B5206BDC1743DD.dat. The decryption algorithm and key: 128-bit AES in ECB mode with the hardcoded key uXQLESMXGaRMs6BL.
This produces shellcode generated by the DllToShellCode open-source instrument. Earlier than executing the shellcode, it extracts the remainder of the encrypted payloads from the container into separate recordsdata:
- %SystemRootpercentFontsKX1B5206BDC1743DD.dat
- %SystemRootpercentFontsKW1B5206BDC1743FP.dat
When accomplished, the loader spawns a brand new svchost.exe course of utilizing CreateProcessAsUserW with a token obtained from spoolsv.exe, and injects the backdoor’s shellcode into the method through the use of the course of doppelgänging method. Throughout the injection course of, the shellcode is dropped into a short lived file, utilizing the prefix TH in its filename, inside the %TEMP% listing.
Because the final step, the loader proceeds to decrypt and execute DriverLoader, a kernel driver hidden contained in the beforehand dropped KX1B5206BDC1743DD.dat file. DriverLoader is first decrypted, then the decrypted contents are saved to C:WindowsSystem32driversfsdiskbit.sys. To execute it, the loader installs this driver as a minifilter driver by manually creating a brand new service registry key named msidiskserver with an ImagePath worth pointing to the dropped driver (as proven in Determine 6) and invokes the NtLoadDriver Home windows API perform with the registry key because the parameter to load it. If no errors are detected, the loader deletes each the msidiskserver registry key and the fsdiskbit.sys file. After this, the loader is finished and exits.
DriverLoader driver
Earlier than leaping to DriverLoader’s performance, one essential notice: with the discharge of Home windows Vista, Microsoft launched driver signature enforcement (DSE), a function guaranteeing that solely validly signed kernel-mode parts are allowed to be executed within the Home windows kernel. Which means to execute the fsdiskbit.sys driver (DriverLoader), attackers must signal it with a trusted certificates.
To make the driving force work on no less than some outdated or misconfigured programs, the attackers used a leaked certificates accessible on GitHub within the PastDSE venture repository, and signed the fsdiskbit.sys driver with it. Details about the certificates used will be present in Determine 7.
Now to the performance. The aim of this element is kind of easy: to load one other driver, this time in reminiscence solely. First, it reads and decrypts the contents of the C:WindowsFontsKW1B5206BDC1743FP.dat file, beforehand created by the loader. It makes use of the identical algorithm and key as utilized by the loader: 128-bit AES in ECB mode with the important thing uXQLESMXGaRMs6BL. The decrypted knowledge incorporates a local PE binary (described within the RawWNPF driver part), which is then manually mapped and its entry level executed.
There’s the PDB path embedded within the DriverLoader binary:
C:UsersxddDesktop今天2023-4-112023‑04‑10__注册表驱动加载功能__集成到内测3中-未完成DriverMemoryLoadDriverx64ReleaseDriverMemoryLoadDriver.pdb
The components in simplified Chinese language machine translate as:
- 今天: At this time
- 注册表驱动加载功能__集成到内测3中-未完成: Registry driver loading function__is built-in into inner beta 3-not accomplished
As we are able to see within the symbols path, this element appears to have been in growth no less than since April 2023, which aligns with DriverLoader’s compilation timestamp. Equally, strings within the path recommend that the venture this driver is a part of was seemingly nonetheless in growth when the driving force was compiled.
RawWNPF driver
The RawWNPF driver is the element that makes the WIN_DRV model of the SprySOCKS backdoor a lot stealthier when in comparison with the WIN_PLUS variant. It permits hiding the backdoor’s malicious exercise on the compromised system, and will be configured by invoking the driving force’s customized I/O management codes (IOCTLs). The motive force creates a tool driver named DeviceRawWNPF; a listing of the accessible IOCTLs, with brief descriptions, is proven in Desk 1.
Desk 1. Record of IOCTLs dealt with by the RawWNPF driver
| IOCTL | Description |
| 0x220200 | Configure the driving force to cover lively community connections to and from the desired native TCP port. |
| 0x220300 | Unhide the community connections configured with 0x220200. |
| 0x220340 | Insert an entry into the hidden connections listing. |
| 0x220344 | Take away an entry from the hidden connections listing. |
| 0x220348 | Wipe the entire hidden connections listing. |
| 0x22034C | Learn the hidden connections listing. |
| 0x220350 | Insert a course of with a specified PID into the hidden processes listing. |
| 0x220354 | Take away a course of with a specified PID from the hidden processes listing. |
| 0x220358 | Wipe the entire hidden processes listing. |
| 0x22035C | Learn the hidden processes listing. |
| 0x222000 | Initialize the driving force’s important capabilities (hiding community connections, hiding processes, hiding malware parts, community filters, persistence safety). After this initialization, different IOCTLs can be utilized to configure what precisely needs to be hidden. |
| 0x222004 | Returns two hardcoded DWORD values: 1 and 2. This presumably might be the driving force’s model. |
| 0x222008 | Delete the driving force’s binary (if it exists). |
Hiding specified processes
The RawWNPF driver will be configured to cover processes primarily based on their course of IDs, and a listing of hidden processes will be managed by invoking the driving force’s IOCTLs 0x220358, 0x22035C, 0x220354, and 0x220350. To cover a course of, the driving force hooks execution of the NtQuerySystemInformation system name and modifies its output if details about working processes is being retrieved (i.e., if SystemProcessInformation is handed to the SystemInformationClass parameter). If any of the processes retrieved by this API perform match a course of from the driving force’s listing of hidden processes, the driving force removes this course of from the perform’s output. The way in which the kernel driver hooks the NtQuerySystemInformation system name appears to be closely primarily based on supply code from the InfinityHookPro venture.
Hiding community exercise
The motive force will be configured to cover particular lively connections (with a specified IP, port, or mixture of each) in order that they received’t be listed within the output of frequent community administration instruments akin to netstat.exe. That is achieved by a widely known method (e.g., [1], [2], [3], … ), the place attackers hook IoCompletionRoutine for IOCTL 0x12001B contained in the DeviceIoControl perform of the nsiproxy.sys Home windows kernel driver. The code inside nsiproxy’s 0x12001B IOCTL handler is accountable for retrieving the listing of lively connections, and hooking its IoCompletionRoutine permits attackers to stroll by way of the retrieved listing, verify for the presence of particular ports, addresses, or each, and conceal the particular connection within the listing if a match is discovered. Determine 8 exhibits the hook perform accountable for hiding community connections.
Along with the hiding of lively community connections, the driving force incorporates an fascinating performance permitting it to divert TCP packets acquired on any open TCP port, to the desired TCP port configured by the IOCTL 0x220200 (it’s truly the port of the SprySOCKS backdoor’s TCP server), however solely within the case that the TCP knowledge acquired incorporates specifically crafted knowledge. To attain this, the driving force registers its personal packet filter objects utilizing Home windows Filtering Platform (WFP) API capabilities, manually parses contents of transferred IPv4 packets (each inbound and outbound site visitors is inspected), and proceeds to divert the site visitors if the specifically crafted knowledge is detected inside a acquired TCP packet knowledge. The aim of this function appears to be primarily a functionality to contact the malicious backdoor with out the necessity to embed a C&C tackle contained in the binary. Moreover, despite the fact that such diverted site visitors will be inspected utilizing instruments akin to Wireshark, the actual port (the one the site visitors is diverted to) is just not revealed; thus it may be tough to analyze the actual vacation spot for this malicious site visitors.
Put in packet filters, together with their figuring out data, are listed in Desk 2.
Desk 2. WFP filter objects registered by the RawWNPF driver
| Filter layer identify | Filter object identify and GUID | Filter object callout identify and GUID |
| Inbound IP Packet v4 Layer | Supply Optimization (TCP-In) {E980088D-BE44-4057-8E5C-C7FDF8968795} |
COInbound {DE0D7F67-94ED-4DDB-8215-9C028B54661B} |
| Outbound IP Packer v4 Layer | Supply Optimization (TCP-Out) {33F76397-DBCB-445E-8EC3-AA51ED302D15} |
COOutbound {8280DDF3-7489‑4402-B9D8-96B50912346B} |
| ALE Join v4 Layer | Supply Optimization (TCP-In) {5746AF70-2917‑4861-97E6-D5E4DD569F2D} |
COAuthConnect {A33E1AA8-9B0F-44A3-B24A-AEB04CA54C3B} |
| ALE Hear v4 Layer | Supply Optimization (TCP-In) {7CB4DFB4-0D20-402D-A49D-BA9660D026E6} |
COAuthListen {40045FAF-6BAE-4B48-9119‑31B48FFEA629} |
| ALE Obtain/Settle for v4 Layer | Supply Optimization (TCP-In) {2C1AB6EF-0B65-4634‑8666-BCB2CF9C72E9} |
COAuthAccept {DDFE5189‑389F-437F-9B92-59495ED2181A} |
| ALE ResourceAssignment v4 Layer | Supply Optimization (TCP-In) {B4AE248F-98D5-446F-88EB-14CF605AE722} |
COAuthResAssignment {FE570356-A1A9-413C-94CC-BD6C448E9969} |
Hiding the backdoor’s recordsdata
The motive force hides/protects the SprySOCKS backdoor’s recordsdata by registering itself as a minifilter driver, and putting in the next callbacks:
- pre-operation callback triggered on each IRP_MJ_CREATE I/O request and accountable for returning STATUS_NO_SUCH_FILE on each try and create or open a file or a listing from the driving force’s listing of hidden/protected recordsdata,
- pre-operation callback triggered on each IRP_MJ_DIRECTORY_CONTROL I/O request and accountable for filtering out non-directory-enumeration associated requests, in order that solely those associated to listing enumeration are handed to the post-operation callback, and
- post-operation callback triggered on IRP_MJ_DIRECTORY_CONTROL I/O requests that handed pre-operation callback checks. This callback is accountable for eradicating entries of hidden/protected recordsdata from any listing itemizing makes an attempt.
The next hardcoded listing of filenames are protected by the driving force:
- SystemRootFontstpsvc.dll
- SystemRootFontstpsvcloc.dll
- SystemRootFontsApphostRagistreationVerifier.exe
- SystemRootFontsX1B5206BDC1743DD.dat
- SystemRootFontsKX1B5206BDC1743DD.dat
- SystemRootFontsKW1B5206BDC1743FP.dat
Defending persistence
The motive force calls CmRegisterCallbackEx to put in a RegistryCallback routine accountable for hiding the registry key used for the SprySOCKS loader’s persistence: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exe. Because of this, all makes an attempt to open or enumerate the important thing are filtered out by the driving force.
WIN_PLUS parts
Within the SprySOCKS WIN_PLUS model, we first found the malicious encrypted container in our telemetry, with the primary hit courting again to July 2024 discovered on the gadget of a sufferer in Pakistan. It contained the SprySOCKS backdoor and the SprySOCKS loader. The C&C configuration was current and is proven in Determine 9.
The encrypted container was situated on the following path on the compromised system:
C:WindowsSystem32spooldriverscolorconfig.dat
When decrypted, the container incorporates a SprySOCKS loader and the SprySOCKS backdoor itself. Additional evaluation of the SprySOCKS backdoor from the container confirmed that, on this case, there appeared to be a further element accountable for loading the SprySOCKS loader from the encrypted container. This element – referenced to because the first-stage loader on this evaluation – needs to be put in as a print processor beneath the next registry key:
HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg
Apparently, after we searched our telemetry for something associated to this VSPMsg string, we found a file deployed on two completely different sufferer units from Honduras at C:WindowsSystem32spoolprtprocsx64VSPMsg.dll. This file turned out to be the first-stage loader accountable for executing the SprySOCKS loader from the aforementioned config.dat file.
An execution diagram of the SprySOCKS WIN_PLUS variant is illustrated in Determine 10.
First-stage loader
This loader begins by checking whether or not it was executed by spoolsv.exe, and exits if not; this hides its conduct from automated malware evaluation sandboxes, because the loader is meant to be run as a print processor. It continues decrypting the SprySOCKS loader from the encrypted container C:WindowsSystem32spooldriverscolorconfig.dat. First it 128-bit AES-ECB decrypts the loader with the hardcoded key uXQLESMXGaRMs6BL, then injects it into the newly created svchost.exe course of through course of doppelgänging. In the meantime, the SprySOCKS loader is dropped into a short lived file, with a filename prefix of TH, inside the %TEMP% listing.
The pattern exports two capabilities:
- GetErrorMessageModule
- SetErrorMessageModule
Whereas the SetErrorMessageModule perform doesn’t do something, the GetErrorMessageModule perform is supposed for use to set persistence for the loader itself. When executed, it registers the loader as a print processor by creating the HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg registry key, setting the Driver registry worth to VSPMsg.dll, and copying the hardcoded C:ProgramDataMicrosoft EventPFsVSPMsg.dll to the C:WindowsSystem32spoolprtprocsx64 listing. As the subsequent step, it copies the encrypted container from C:ProgramDataMicrosoft EventPFsconfig.dat to C:WindowsSystem32spooldriverscolorconfig.dat and, when accomplished, it generates and drops the affair-build.bat batch script into the C:WindowsSystem32spooldriverscolor listing and executes it. As proven in Determine 11, this script’s goal is to cowl the loader’s tracks by eradicating the recordsdata within the unique deployment listing, and triggering execution of the newly put in print processor by restarting the print spooler service.
SprySOCKS loader
This loader begins by making a mutex with the hardcoded identify fqwhi2d1qaz2, after which proceeds to loading the SprySOCKS backdoor from the encrypted container situated at C:WindowsSystem32spooldriverscolorconfig.dat. It 128-bit AES-ECB decrypts the backdoor with the hardcoded key uXQLESMXGaRMs6BL, then injects it into the newly created svchost.exe course of through course of doppelgänging. In the meantime, the SprySOCKS loader is dropped into a short lived file, with a filename prefix of TH, inside the %TEMP% listing.
SprySOCKS backdoor
Lastly, we proceed to our evaluation of the SprySOCKS backdoor itself. In each variants, WIN_DRV and WIN_PLUS, the backdoor performance is sort of the identical, and the variations are solely within the particular file paths used, registry keys used, and as already talked about, the WIN_PLUS model doesn’t use the RawWNPF driver for superior stealthiness.
Each variants analyzed on this report are DLLs with the unique identify PrcsServer.dll, exporting a perform named Cease. They create a mutex named prcs-server-run at first and proper after that proceed to the initialization of the backdoor’s important performance, which incorporates initialization and launching of C&C communication channels (primarily based on the hardcoded configuration) and organising the keylogger. Along with these actions, the WIN_DRV backdoor model initializes the RawWNPF driver by invoking its 0x222000 IOCTL handler, after which hides its personal course of by invoking the driving force’s 0x220350 IOCTL.
Keylogging is activated provided that there may be an current INI file at %appdatapercentMicrosoftVaultlgf.dat that incorporates a config part with a property named key that’s set to 1. If these circumstances are met, each backdoors create a mutex named World{DCAA7ED8-521B-4EAB-BE21-65254CF59239} and periodically log clipboard knowledge together with the lively window title and keystrokes into the file %appdatapercentMicrosoftVaultlg.dat. The information within the file is encrypted utilizing a single-byte XOR cipher with the important thing 0x44.
C&C communication
The backdoor helps three protocols for communication with the C&C – TCP, UDP, and WebSocket – and may act as each shopper and server. The networking-related performance is closely primarily based on the HP-Socket networking framework, and a few cryptography capabilities had been applied utilizing the Crypto++ library.
The C&C configuration is embedded within the backdoor, and may include:
- as much as three IP addresses and related ports, every specifying a C&C IP tackle and its port for one of many communication channels (TCP, UDP, or WebSocket), and
- as much as three port numbers, every specifying a port the backdoor ought to pay attention on for brand spanking new connections. One is used for a TCP server, one for a UDP server, and one for a WebSocket server.
An instance configuration from the WIN_PLUS model is proven in Determine 9 and it incorporates:
- The C&C tackle and port for the TCP communication channel: 207.148.78[.]36:443.
- The C&C tackle and port for the UDP communication channel: 207.148.78[.]36:53.
- The C&C tackle and port for the WebSocket communication channel: 207.148.78[.]36:80.
- The backdoor’s TCP server listening port: 53781.
Earlier than initiating any connections or beginning a server, the SprySOCKS WIN_DRV model hides any connections from/to the addresses or ports from the configuration by invoking the RawWNPF driver’s IOCTLs 0x220340 and 0x220200. Because of this, these connections received’t be listed in output of instruments akin to netstat.exe, regardless of being lively. As well as, each backdoor variations execute the netsh.exe utility twice:
netsh.exe netsh advfirewall firewall delete rule identify=”Core Networking – Packet Too Huge(ICMPv6 – In)”
netsh advfirewall firewall add rule identify=”Core Networking – Packet Too Huge(ICMPv6 – In)” dir=in motion=enable protocol=tcp localport=53781
The primary command deletes a specified firewall rule, and the second provides a brand new firewall rule of the identical identify because the one simply deleted, permitting all inbound TCP site visitors despatched to the backdoor’s TCP server port specified within the configuration.
If the C&C configuration is empty (as within the case of the WIN_DRV model we found on VirusTotal), the backdoor begins a TCP server that listens on a random port on the compromised machine and in addition hides this port by invoking the RawWNPF driver’s IOCTL 0x220200. This invocation not solely hides the TCP server from being listed in customary networking instruments’ output, but in addition prompts the TCP-diverting function supplied by the RawWNPF driver. This function permits attackers to ship instructions to the backdoor with out realizing the actual port the backdoor listens on, just by sending specifically crafted TCP knowledge to any open TCP port on the sufferer’s machine.
For the TCP communication channel, the C&C protocol appears to stay the identical as within the Linux model analyzed in Development Micro’s report. Every time earlier than sending the precise backdoor’s knowledge, it sends a 12-byte header containing the 32-bit CRC of the remainder of the header, a DWORD magic worth 0xACACBCBC, and a DWORD specifying the scale of the info that follows the header.
For the UDP and WebSocket channels, the magic values are completely different, and so are the message header format and measurement. For the UDP channel, the magic worth is 0xACACBFBC and it’s situated at offset 0x1C in a 36-byte header, adopted by a DWORD specifying the scale of the info that follows. Within the WebSocket channel, the magic worth 0x1BDCCBAA is used as a Masking-Key within the WebSocket header. Determine 12 exhibits a community site visitors seize with the magic values for every of the communication channels.
Following the header is, once more, a 32-bit CRC, then the WORD worth 0x0003 (seemingly indicating the encryption methodology), adopted by 128-bit AES-ECB mode encrypted knowledge (utilizing the hardcoded key QFTHEYjzX3RBOMgZ) that has been base64 encoded.
An instance of a C&C message earlier than and after decoding and decryption is proven in Determine 13.
The __msgid worth within the decrypted C&C message is used to specify a command, recognized by a message ID, that needs to be executed by the backdoor. The listing of message IDs supported by the backdoor, together with their description, will be present in Desk 3. Observe that we haven’t analyzed all these instructions in depth; due to this fact, some descriptions are only a tough overview of the a part of the code/performance the message ID is expounded to.
Desk 3. SprySOCKS C&C instructions; descriptions marked with * are tentative assessments
| Message ID | Description |
| 0x09 | Acquire shopper (sufferer) system data, together with: laptop identify, OS model, community adapter data, details about reminiscence, CPU data, present privileges, system language and model, present time, and the backdoor model (1.8) and model sort (WIN_DRV or WIN_PLUS). |
| 0x0A | Begin an interactive console. |
| 0x0B | Write into the interactive console. |
| 0x0D | Cease the interactive console. |
| 0x0E | Specify a further communication channel (don’t begin the channel). Prone to specify a further backup C&C. |
| 0x0F | Ship C&C message to a distinct goal.* |
| 0x11 | Enumerate all processes. |
| 0x12 | Enumerate modules of a course of specified by a PID. |
| 0x13 | Terminate a course of specified by a PID. |
| 0x14 | Shut all connections. |
| 0x16 | Get present communication channel data. |
| 0x17 | Specify further communication channels (TCP, UDP, or WebSocket) and begin them. |
| 0x19 | Uninstall the backdoor and exit. |
| 0x1E | Enumerate all companies. |
| 0x1F | Configure StartType for a specified service. |
| 0x20 | Begin companies with a specified identify. |
| 0x21 | Invoke the ControlService perform with a specified dwControl parameter. |
| 0x22 | Delete a specified service from the service supervisor. This doesn’t cease the service if it’s working. |
| 0x23 | Initialize SOCKS proxy. |
| 0x24 | Terminate SOCKS proxy.* |
| 0x25 | Ship knowledge by way of SOCKS proxy. |
| 0x26 | SOCKS proxy-related command.* |
| 0x2A | Add a specified file.* |
| 0x2B | File-transfer-related helper command.* |
| 0x2C | Obtain a specified file.* |
| 0x2D | File-transfer-related helper command.* |
| 0x3C | Enumerate free disk house. |
| 0x3D | Record recordsdata within the specified listing. |
| 0x3E | Delete a specified file. |
| 0x3F | Create a specified listing. |
| 0x40 | Rename a specified file. |
| 0x41 | Execute an current file. |
| 0x42 | Copy a specified file. |
| 0x43 | Record recordsdata from the Latest Home windows directories for the logged-in person: %APPDATApercentMicrosoftWindowsRecent %APPDATApercentMicrosoftOfficeRecent |
Community infrastructure
Just one C&C tackle has been found on this marketing campaign: 207.148.78[.]36, hardcoded within the configuration (proven in Determine 9) of the WIN_PLUS variant of the SprySOCKS backdoor.
Ports from the configuration that needs to be utilized by the backdoor to speak with the C&C:
- TCP: 443
- UDP: 53
- WebSocket: 80
As talked about in Development Micro’s report, the IP tackle 207.148.75[.]122, from the identical IP vary 207.148.64.0/20 because the C&C above, was utilized by FishMonger operators as a SprySOCKS supply server in June 2023. This IP vary belongs to the Vultr cloud internet hosting supplier.
Conclusion
The invention of a Home windows variant of SprySOCKS, beforehand often called Linux-only backdoor, represents a significant enlargement of FishMonger’s cross-platform capabilities. Our evaluation exhibits that the Home windows port retains many of the core structure of its Linux predecessor – together with the C&C protocol, encryption used, and total command dealing with logic – whereas substituting Home windows-native mechanisms the place required and bettering the stealthiness of the backdoor by bringing the kernel drivers to the sport. Contemplating the restricted indications of attainable UEFI bootkit involvement, we advise everybody to maintain a detailed eye on the group’s actions.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis provides non-public APT intelligence studies and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
Recordsdata
| SHA‑1 | Filename | Detection | Description |
| 955BFC3DCC867256F9F4 |
KX1B5206BDC |
Win64/SprySOCKS.A | Encrypted SprySOCKS DriverLoader driver. |
| 44DC4A08C5EB0972C8E1 |
bthcam.sys | Win64/Agent.ESB | SprySOCKS DriverLoader driver. |
| AB87B29B6F79487C75CA |
KW1B5206BDC |
Win64/SprySOCKS.A | Encrypted SprySOCKS RawWNPF driver. |
| 6490B8E4AADE25A3EE2D |
X1B5206BDC1 |
Win64/SprySOCKS.A | Encrypted container of the encrypted WIN_DRV variant of SprySOCKS backdoor, encrypted SprySOCKS RawWNPF and SprySOCKS DriverLoader drivers. |
| E7484C24B88A1A2407A8 |
klelam00007 |
Win64/Agent.CXZ Win64/SprySOCKS.A BAT/Runner.KS |
ZIP archive from VirusTotal containing the WIN_DRV variant of SprySOCKS, together with all of the backdoor’s parts; clear binaries used for side-loading are included. |
| 621D1952839BE4B0A1B0 |
tpsvcloc.dll | Win64/Agent.CXZ | SprySOCKS loader. |
| 2457EED2AB28E37741F1 |
VSPMsg.dll | Win64/Agent.CXZ | First-stage loader accountable for launching the SprySOCKS loader. |
| D2C706B1EAF662BF0CE1 |
N/A | Win64/SprySOCKS.A | WIN_PLUS variant of the SprySOCKS backdoor. |
| 5F3B87CEF56683D9A9E1 |
N/A | Win64/Agent.CXZ | SprySOCKS loader. |
| C793CA31E3F6628B5C89 |
config.dat | Win64/SprySOCKS.A | Encrypted container of the WIN_PLUS variant of the SprySOCKS backdoor and its loader. |
| 037DB2445F3D72388CB2 |
N/A | BAT/Runner.KS | Batch script that persists the WIN_DRV variant of SprySOCKS. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| 207.148.78[.]36 | N/A | IRT‑CHOOPALLC‑AP | N/A | C&C IP hardcoded within the SprySOCKS backdoor (WIN_PLUS variant). |
MITRE ATT&CK strategies
This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
| Reconnaissance | T1592.004 | Collect Sufferer Host Info: Consumer Configurations | SprySOCKS can gather details about the compromised gadget, together with: laptop identify, OS model, details about reminiscence and CPU, present privileges, system language and model, present time, and extra. |
| T1590.005 | Collect Sufferer Community Info: IP Addresses | SprySOCKS can gather details about the compromised gadget, together with details about community interfaces and assigned IP addresses. | |
| Useful resource Improvement | T1587.001 | Develop Capabilities: Malware | FishMonger has developed customized malware for its operations, together with the SprySOCKS backdoor. |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | SprySOCKS can launch an interactive cmd.exe command shell, which permits the attackers to execute instructions remotely on the compromised machine. |
| T1053.005 | Scheduled Process/Job: Scheduled Process | SprySOCKS makes use of a scheduled process to execute its loader on system begin. | |
| T1569.002 | System Providers: Service Execution | SprySOCKS abuses system companies for each one-time and chronic execution. | |
| T1106 | Native API | FishMonger has used Home windows APIs to execute code inside a sufferer’s system. | |
| Persistence | T1547.012 | Boot or Logon Autostart Execution: Print Processors | To attain persistence, FishMonger installs its malicious loader as a print processor. |
| Privilege Escalation | T1546.012 | Occasion Triggered Execution: Picture File Execution Choices Injection | SprySOCKS can set up itself as a debugger for the Digital Disk Service by modifying HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger. |
| Stealth | T1205.002 | Visitors Signaling: Socket Filters | SprySOCKS makes use of the RawWNPF kernel driver to put in packet filters able to redirecting any inbound TCP site visitors to the configured native port if a particular magic worth is detected within the packet. |
| T1134.002 | Entry Token Manipulation: Create Course of with Token | FishMonger makes use of CreateProcessAsUser to execute a brand new course of with a token obtained from the print spooler service. | |
| T1622 | Debugger Evasion | SprySOCK’s RawWNPF driver makes use of the KdDisableDebugger perform to disable the kernel debugger, if lively. | |
| T1140 | Deobfuscate/Decode Recordsdata or Info | SprySOCKS loader decrypts the SprySOCKS backdoor from an encrypted file. Moreover, many of the strings within the SprySOCKS parts are encrypted. | |
| T1070.004 | Indicator Removing: File Deletion | The SprySOCKS loader removes unique recordsdata from the deployment listing after copying them and organising persistence. | |
| T1070.009 | Indicator Removing: Clear Persistence | SprySOCKS loader removes a service registry worth related to the beforehand put in malicious minifilter driver after executing the driving force. | |
| T1027.007 | Obfuscated Recordsdata or Info: Dynamic API Decision | SprySOCKS parts use dynamic API decision. | |
| T1027.013 | Obfuscated Recordsdata or Info: Encrypted/Encoded File | SprySOCKS parts are saved in an AES-encrypted file on the sufferer’s drive. | |
| T1055.013 | Course of Injection: Course of Doppelgänging | The SprySOCKS loader makes use of course of doppelgänging to inject the backdoor into the svchost.exe course of. | |
| T1014 | Rootkit | FishMonger makes use of the RawWNPF kernel driver, which serves as a rootkit accountable for hiding the SprySOCKS malicious exercise. | |
| T1497 | Virtualization/Sandbox Evasion | SprySOCKS makes use of a number of anti-emulation strategies to stop automated evaluation by emulators or sandboxes. | |
| T1574.002 | Hijack Execution Circulate: DLL Aspect-Loading | FishMonger makes use of DLL side-loading to execute the SprySOCKS backdoor. | |
| Protection Impairment | T1562.004 | Disable or Modify System Firewall | SprySOCKS provides a firewall rule permitting any inbound site visitors despatched to the backdoor’s listening port. |
| Discovery | T1010 | Software Window Discovery | SprySOCKS retrieves the lively foreground window identify as part of its keylogging performance. |
| T1083 | File and Listing Discovery | SprySOCKS can acquire file and listing listings from the compromised system. | |
| T1518.001 | Software program Discovery: Safety Software program Discovery | SprySOCKS parts verify for the presence of safety and sandboxing product libraries (snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, SbieDll.dll, and cmdvrt32.dll) in their very own processes. | |
| T1082 | System Info Discovery | SprySOCKS can gather details about the compromised gadget, together with: laptop identify, OS model, details about reminiscence and CPU, present privileges, system language and model, present time, and extra. | |
| T1614.001 | System Location Discovery: System Language Discovery | SprySOCKS can gather details about the compromised gadget, together with system language. | |
| T1007 | System Service Discovery | SprySOCKS can enumerate all companies on the system. | |
| T1124 | System Time Discovery | SprySOCKS can gather details about the compromised gadget, together with present system time. | |
| Assortment | T1056.001 | Enter Seize: Keylogging | SprySOCKS implements a keylogger. |
| T1115 | Clipboard Knowledge | SprySOCKS logs clipboard knowledge, together with the captured keystrokes, as part of its keylogging performance. | |
| Command and Management | T1132.001 | Knowledge Encoding: Commonplace Encoding | SprySOCKS makes use of base64 encoding in its customized C&C communication protocol. |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | SprySOCKS encrypts knowledge despatched to, and decrypts knowledge acquired from, the C&C with 128-bit AES. | |
| T1008 | Fallback Channels | Along with the TCP communication channel, SprySOCKS can contact its C&C utilizing UDP and WebSocket channels. | |
| T1665 | Conceal Infrastructure | SprySOCKS’s RawWNPF driver hides the backdoor’s lively connections from being enumerated when utilizing community instruments akin to netstat.exe. | |
| T1571 | Non-Commonplace Port | SprySOCKS makes use of nonstandard ports to speak with the C&C. | |
| T1095 | Non-Software Layer Protocol | SprySOCKS makes use of nonstandard protocols to speak with the C&C. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | SprySOCKS can add varied recordsdata from the compromised system to the C&C. |







