www.welivesecurity.com
FishMonger Expands SprySOCKS Malware to Windows with Kernel-Level Stealth
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
ESET researchers have identified two new Windows variants of the SprySOCKS backdoor, previously exclusive to Linux, attributed to the Chinese cyberespionage group FishMonger. The variants, labeled WIN_DRV and WIN_PLUS, were active between 2023 and 2024 and targeted government organizations in Honduras, Taiwan, Thailand, and Pakistan. The WIN_DRV variant employs kernel drivers for advanced stealth, allowing it to conceal its presence by hiding network connections, processes, and files. Both variants support over 30 command-and-control (C&C) commands and can communicate via TCP, UDP, and WebSocket protocols. There are indications that some attacks may involve a UEFI bootkit component, potentially exploiting CVE-2023-24932. The discovery highlights the evolving capabilities of FishMonger, which has previously targeted various sectors, including education and government. ESET advises organizations to monitor for signs of these new threats.
Key Points: • FishMonger has developed Windows variants of the SprySOCKS backdoor, targeting government entities. • The WIN_DRV variant utilizes kernel drivers for stealth, hiding processes and network activity. • ESET telemetry indicates the malware was active in 2023 and 2024, with potential UEFI bootkit involvement.