FishMonger Expands SprySOCKS Malware to Windows, Targeting Government Entities

ESET researchers have identified two new Windows variants of the SprySOCKS backdoor, known as WIN_DRV and WIN_PLUS, attributed to the Chinese cyberespionage group FishMonger. These variants were discovered in malware samples uploaded to VirusTotal in April 2024 and show activity targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024. The WIN_DRV variant features advanced kernel-level capabilities for stealth, allowing it to hide processes, files, and network connections, while both variants support over 30 command-and-control (C&C) commands. There are indications that some attack scenarios may involve a UEFI bootkit component exploiting CVE-2023-24932, a vulnerability published on May 9, 2023. ESET's findings highlight the group's ongoing evolution and the need for heightened vigilance among targeted organizations.

Key Points: • FishMonger has developed two Windows variants of SprySOCKS, targeting government entities. • The malware employs kernel-level techniques for stealth, hiding its presence from detection tools. • Limited indications suggest potential exploitation of CVE-2023-24932 in some attack scenarios.