← Back to Daily Briefing

The China-aligned threat actor FishMonger has significantly expanded its operational reach by porting its SprySOCKS backdoor from Linux to Windows. This evolution introduces two specialized Windows-native variants: WIN_DRV, which utilizes a kernel-level rootkit for advanced activity concealment, and WIN_PLUS, which implements Windows-native persistence mechanisms. By leveraging kernel-mode drivers, the group aims to bypass traditional Endpoint Detection and Response (EDR) and Antivirus (AV) software. The malware employs hard-coded Command and Control (C2) configurations over TCP and UDP protocols, facilitating long-term, stealthy espionage and persistent access within targeted enterprise Windows infrastructures.

  • Campaign Overview: Cross-Platform Expansion

    • Transition from Linux-only targeting to a dual-platform operational capability.
    • Strategic shift toward infiltrating Windows-based enterprise environments.
    • Expansion of the SprySOCKS toolkit to support diverse operating systems.
  • Technical Mechanics: SprySOCKS Windows Variants

    • WIN_DRV: Employs kernel-level rootkits to facilitate process and network concealment.
    • WIN_PLUS: Utilizes native Windows persistence mechanisms to maintain long-term access.
    • Communication via hard-coded C2 configurations using TCP and UDP protocols.
  • Evasion & Detection Challenges

    • Abuse of kernel drivers to subvert security hooks and bypass EDR/AV tools.
    • High difficulty in detection due to kernel-mode stealth integration.
    • Concealment of malicious activity within the host operating system's architecture.
  • Threat Group Profile: FishMonger

    • Identified as a sophisticated, China-aligned cyberespionage entity.
    • Strategic focus on long-term espionage and persistent access.
    • Demonstrated capability in cross-platform malware development.
  • Defensive Actions & Mitigation

    • Prioritize kernel-level monitoring to detect unauthorized driver loading.
    • Monitor for anomalous TCP/UDP traffic directed at hard-coded C2 addresses.
    • Implement robust endpoint protection focused on kernel-mode integrity.

Related posts

  1. cyberinsider.com — ESET discovers Windows SprySOCKS variant with rootkit capabilities
  2. feeds.feedburner.com — China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth
  3. Infosecurity-magazine
  4. Gurucul
  5. Bragg
  6. Petri
  7. Exchange
  8. Dark Reading — SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection

LINK COPIED TO CLIPBOARD