The Chinese cyberespionage group known as FishMonger has expanded its capabilities by adapting its SprySOCKS backdoor, previously exclusive to Linux systems, for Windows platforms. This development significantly broadens the group’s potential targets, encompassing a wider array of organizations globally.
SprySOCKS first emerged in September 2023, with its Linux variant being actively utilized in espionage campaigns. The backdoor was originally built upon the open-source Windows remote access tool Trochilus but underwent substantial modifications, resulting in a distinct and purpose-built threat. Initially, its deployment was primarily associated with attacks on government organizations across Asia.
Recent analyses have identified two previously undocumented Windows variants of SprySOCKS, designated as WIN_DRV and WIN_PLUS. These variants have been active between 2023 and 2024, with confirmed victims in countries such as Honduras, Taiwan, Thailand, and Pakistan, predominantly targeting government entities. The initial samples of these variants were uploaded to VirusTotal in April 2024 under the archive name klelam00007.zip.
FishMonger is believed to be operated by a Chinese contractor named I-SOON, which falls under the broader Winnti Group umbrella. The group has a history of targeting universities in Hong Kong during the 2019 civil protests and is known for conducting watering-hole attacks. Their toolkit includes malware such as ShadowPad, Spyder, Cobalt Strike, FunnySwitch, and the BIOPASS RAT. The expansion of SprySOCKS to Windows indicates a continued investment in offensive capabilities.
Both Windows variants of SprySOCKS implement over 30 command-and-control (C2) commands, covering functionalities like system enumeration, file management, service control, and keylogging. There are also indications that some attacks may involve a UEFI bootkit component, potentially exploiting vulnerabilities like CVE-2023-24932, which could allow the malware to persist even after a complete operating system reinstall.
Technical Details of the WIN_DRV Variant
The WIN_DRV variant employs a kernel driver named RawWNPF to enhance stealth on compromised systems. This driver conceals the malware’s network connections, processes, files, and registry keys from standard monitoring tools. For instance, utilities like netstat.exe would not display active backdoor connections because the driver intercepts Windows Filtering Platform calls and omits those entries from any output.
To load the kernel driver without triggering Windows security checks, the attackers utilized a leaked code-signing certificate from the PastDSE project on GitHub. Once active, the driver performs TCP traffic diversion, allowing attackers to send commands through any open TCP port without needing to know the exact listening port. This technique complicates detection and mitigation efforts.
The adaptation of SprySOCKS to Windows platforms underscores the evolving tactics of state-sponsored threat actors. Organizations must remain vigilant, implementing robust security measures and staying informed about emerging threats to effectively defend against such sophisticated cyberespionage campaigns.
