The China-aligned threat actor FishMonger has significantly expanded its operational reach by porting its SprySOCKS backdoor from Linux to Windows. This evolution introduces two specialized Windows-native variants: WIN_DRV, which utilizes a kernel-level rootkit for advanced activity concealment, and WIN_PLUS, which implements Windows-native persistence mechanisms. By leveraging kernel-mode drivers, the group aims to bypass traditional Endpoint Detection and Response (EDR) and Antivirus (AV) software. The malware employs hard-coded Command and Control (C2) configurations over TCP and UDP protocols, facilitating long-term, stealthy espionage and persistent access within targeted enterprise Windows infrastructures.
-
Campaign Overview: Cross-Platform Expansion
- Transition from Linux-only targeting to a dual-platform operational capability.
- Strategic shift toward infiltrating Windows-based enterprise environments.
- Expansion of the SprySOCKS toolkit to support diverse operating systems.
-
Technical Mechanics: SprySOCKS Windows Variants
- WIN_DRV: Employs kernel-level rootkits to facilitate process and network concealment.
- WIN_PLUS: Utilizes native Windows persistence mechanisms to maintain long-term access.
- Communication via hard-coded C2 configurations using TCP and UDP protocols.
-
Evasion & Detection Challenges
- Abuse of kernel drivers to subvert security hooks and bypass EDR/AV tools.
- High difficulty in detection due to kernel-mode stealth integration.
- Concealment of malicious activity within the host operating system's architecture.
-
Threat Group Profile: FishMonger
- Identified as a sophisticated, China-aligned cyberespionage entity.
- Strategic focus on long-term espionage and persistent access.
- Demonstrated capability in cross-platform malware development.
-
Defensive Actions & Mitigation
- Prioritize kernel-level monitoring to detect unauthorized driver loading.
- Monitor for anomalous TCP/UDP traffic directed at hard-coded C2 addresses.
- Implement robust endpoint protection focused on kernel-mode integrity.
Related posts
- cyberinsider.com — ESET discovers Windows SprySOCKS variant with rootkit capabilities
- feeds.feedburner.com — China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth
- Infosecurity-magazine
- Gurucul
- Bragg
- Petri
- Exchange
- Dark Reading — SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection