ESET researchers have found two as-yet undocumented Home windows variants of SprySOCKS, a beforehand Linux-only backdoor reportedly utilized by FishMonger, the group believed to be operated by a Chinese language contractor named I‑SOON. Whereas we initially found the malware samples on VirusTotal, ESET telemetry exhibits actual exercise between 2023 and 2024, with a number of victims in Honduras, Taiwan, Thailand, and Pakistan, focusing on principally authorities organizations.
The Home windows variants found are internally marked as WIN_DRV and WIN_PLUS. Each include a hardcoded C&C configuration and help communication over TCP, UDP, and WebSocket protocols. The core backdoor performance for each contains help for over 30 C&C instructions, masking varied functionalities together with system data assortment, course of enumeration, in addition to service administration and file administration features equivalent to itemizing, creating, deleting, and transferring recordsdata.
Along with the core backdoor performance, the WIN_DRV model makes use of kernel drivers to cover the malware’s community connections, processes, recordsdata, and registry keys, and allows TCP visitors diversion permitting the malware operators to ship instructions to the backdoor by way of a random TCP port on the sufferer’s system with out exposing the backdoor’s actual listening port within the community visitors.
Primarily based on ESET telemetry, there are restricted indications that some SprySOCKS assault situations could contain a UEFI bootkit part, probably exploiting CVE‑2023‑24932.
The evaluation supplied on this report leads us to attribute these new, Home windows variants to FishMonger with excessive confidence.
Key factors of this blogpost:
- We found two beforehand undocumented Home windows variants of FishMonger’s SprySOCKS backdoor.
- ESET telemetry exhibits exercise between 2023 and 2024, primarily focusing on authorities organizations in Honduras, Taiwan, Thailand, and Pakistan.
- Each Home windows variants help communication over TCP, UDP, and WebSocket protocols, and implement over 30 instructions.
- The WIN_DRV variant creates a stealthy passive TCP backdoor, counting on a kernel driver to redirect visitors to the backdoor’s hidden TCP port at any time when specifically crafted knowledge is detected inside a obtained TCP packet.
FishMonger profile
FishMonger – believed to be operated by a Chinese language contractor named I‑SOON (see our This fall 2023–Q1 2024 APT Exercise Report) – is a cyberespionage group that falls underneath the Winnti Group umbrella and is more than likely working out of China, from the town of Chengdu. It is usually referred to as Earth Lusca, TAG-22, Aquatic Panda, or Purple Dev 10. We printed an evaluation of FishMonger in early 2020 when it closely focused universities in Hong Kong throughout the civic protests that began in June 2019. The group can also be identified to function watering-hole assaults, as reported by Development Micro. FishMonger’s toolset contains ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.
Technical evaluation
On this part, we offer a technical evaluation of those new, Home windows variants of FishMonger’s SprySOCKS backdoor.
The archive that led us to this discovery was uploaded to VirusTotal in April 2024 underneath the title klelam00007.zip; its contents are proven in Determine 1.
This archive accommodates varied recordsdata, together with respectable ones used to host DLL side-loading, and three suspicious-looking, encrypted recordsdata with .dat extensions. Our subsequent evaluation revealed that these encrypted recordsdata include a brand new, beforehand undocumented Home windows variant of FishMonger’s SprySOCKS backdoor, labeled WIN_DRV by its builders. Additional investigation revealed an extra backdoor model, labeled WIN_PLUS, in ESET Telemetry.
Preliminary entry
FishMonger has been identified for focusing on the public-facing servers of its victims, typically exploiting server-based N-day vulnerabilities, to achieve preliminary entry. Whereas we weren’t in a position to verify the precise approach FishMonger obtained into its victims’ methods on this marketing campaign, the presence of a server working system on a number of the sufferer gadgets together with FishMonger’s typical modus operandi counsel that the attackers could effectively have gotten in by way of misconfigured or unpatched public-facing purposes.
SprySOCKS for Home windows
In September 2023, Development Micro printed a report a few new FishMonger Linux backdoor that its analysts named SprySOCKS. The code of the backdoor is predicated on an open-source Home windows distant entry trojan (RAT) named Trochilus, and shares a number of widespread traits with the RedLeaves backdoor; however, it was prolonged and modified sufficient to be thought of a brand new backdoor. On this report, we analyze two as but undisclosed Home windows variants of v1.8 of SprySOCKS:
- One has been named WIN_DRV by its builders and makes use of a kernel driver for superior stealth.
- One other, with out the driving force, is called WIN_PLUS.
As proven in Determine 2, the backdoor model kind and quantity are hardcoded within the binary.
The overwhelming majority of artifacts and performance current within the Linux model of the SprySOCKS backdoor launched in Development Micro’s report will also be discovered within the newly found Home windows SprySOCKS variants described on this report. These embrace:
- the identical C&C message format,
- very related C&C instructions (plus some further ones),
- the identical encryption keys and algorithms, and
- the usage of the identical statically linked networking library (HP-Socket).
For each of those new SprySOCKS variants, the core backdoor performance involving C&C communication and out there instructions could be very related. Essentially the most notable variations may be noticed in the best way the ultimate backdoor is loaded, within the improved stealthiness, and within the part names and paths used.
Within the following subsections, we first analyze parts concerned within the execution chain of particular person SprySOCKS variants, after which we describe the backdoor part, which is generally the identical for each variants.
WIN_DRV parts
In an archive uploaded to VirusTotal, we found the WIN_DRV model of SprySOCKS, which comes with an empty C&C configuration. Consequently, this model doesn’t actively contact any distant addresses; nevertheless, it’s nonetheless able to launching a TCP server on a random port on the sufferer’s system, thus appearing as a passive backdoor. Apparently, the attackers don’t have to know this server’s TCP port quantity as a result of, as defined later, the RawWNPF driver utilized by the WIN_DRV model permits silent diversion – to the backdoor itself – of TCP visitors obtained on any open port (extra within the RawWNPF driver part).
As proven in Determine 1, the archive containing the WIN_DRV model of SprySOCKS accommodates a number of recordsdata:
- klelam00007.bat – a batch script answerable for persisting the backdoor. As proven in Determine 3, it:
○ copies all recordsdata from the present working listing into the %SystemRootpercentFonts listing (to perform correctly, the batch file must be deployed in the identical listing as the remainder of the recordsdata from the archive),
○ creates a scheduled process named ApphostRagistreationVerifier, configured to execute ApphostRagistreationVerifier.exe (which is a respectable, validly signed executable, renamed by the attackers to imitate the respectable Microsoft-signed AppHostRegistrationVerifier.exe) with NT AUTHORITYSYSTEM privileges on each system begin. The attackers use the well-known DLL side-loading method, making the most of the best way Home windows masses DLLs, to load their very own malicious DLL (on this case tpsvcloc.dll) through the use of a respectable, signed utility. To be particular, on this case the attackers use Malware Sideloading by way of MFC Satellite tv for pc DLLs method (word the loc string within the tpsvcloc.dll filename),
- ApphostRagistreationVerifier.exe – a respectable, ThinPrint’ AutoConnect printer creation service signed executable (SHA‑1: FFC3AA7909D4E72C360D65A1F45260DFFE5C99B7) that masses the tpsvc.dll library,
- tpsvc.dll – a respectable, signed library that masses the tpsvcloc.dll library,
- tpsvcloc.dll – the SprySOCKS backdoor loader,
- X1B5206BDC1743DD.dat – an encrypted container comprising the SprySOCKS backdoor and copies of the subsequent two recordsdata,
- KX1B5206BDC1743DD.dat – DriverLoader, an encrypted kernel driver answerable for loading one other kernel driver from KW1B5206BDC1743FP.dat, and
- KW1B5206BDC1743FP.dat – RawWNPF, an encrypted kernel driver answerable for hiding the backdoor’s recordsdata and community exercise.
Determine 4 depicts the execution chain of the SprySOCKS WIN_DRV variant.
The next three subsections present technical analyses of the aforementioned parts: SprySOCKS loader, DriverLoader driver, and RawWNPF driver.
SprySOCKS loader
The loader begins with preliminary checks for the presence of a digital surroundings and some safety merchandise. It appears for particular libraries (specifically: snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, and SbieDll.dll) within the loader’s course of, and exits if it finds any of them.
As the subsequent step, it verifies whether or not persistence was set efficiently by the klelam00007.bat script, from Determine 3. To take action, it checks whether or not the present loader’s picture was loaded from the %SystemRootpercentFonts listing, and tries to entry the %SystemRootpercentFontsX1B5206BDC1743DD.dat, %SystemRootpercentFontstpsvc.dll, and %SystemRootpercentFontstpsvcloc.dll recordsdata. If it finds that any of those recordsdata will not be the place they’re speculated to be, it units up persistence by itself by:
- copying X1B5206BDC1743DD.dat, tpsvc.dll, tpsvcloc.dll, and ApphostRagistreationVerifier.exe from the present working listing into the %SystemRootpercentFonts listing,
- registering the %SystemRootpercentFontsApphostRagistreationVerifier.exe utility as a debugger for vds.exe (a Digital Disk Service that may be mechanically executed on system begin) by writing the appliance’s path into the registry worth HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger, and
- dropping the affair-build.bat file into the %SystemRootpercentFonts listing after which executing it by way of cmd.exe. This script, proven in Determine 5, clears traces of this course of by eradicating recordsdata from the deployment listing and executing the malware once more (now from %SystemRootpercentFonts) by restarting the vds service.
When persistence is ready, the loader continues with loading payloads from an encrypted container situated at %SystemRootpercentFontsX1B5206BDC1743DD.dat. The decryption algorithm and key: 128-bit AES in ECB mode with the hardcoded key uXQLESMXGaRMs6BL.
This produces shellcode generated by the DllToShellCode open-source instrument. Earlier than executing the shellcode, it extracts the remainder of the encrypted payloads from the container into separate recordsdata:
- %SystemRootpercentFontsKX1B5206BDC1743DD.dat
- %SystemRootpercentFontsKW1B5206BDC1743FP.dat
When accomplished, the loader spawns a brand new svchost.exe course of utilizing CreateProcessAsUserW with a token obtained from spoolsv.exe, and injects the backdoor’s shellcode into the method through the use of the method doppelgänging method. Throughout the injection course of, the shellcode is dropped into a brief file, utilizing the prefix TH in its filename, inside the %TEMP% listing.
Because the final step, the loader proceeds to decrypt and execute DriverLoader, a kernel driver hidden contained in the beforehand dropped KX1B5206BDC1743DD.dat file. DriverLoader is first decrypted, then the decrypted contents are saved to C:WindowsSystem32driversfsdiskbit.sys. To execute it, the loader installs this driver as a minifilter driver by manually creating a brand new service registry key named msidiskserver with an ImagePath worth pointing to the dropped driver (as proven in Determine 6) and invokes the NtLoadDriver Home windows API perform with the registry key because the parameter to load it. If no errors are detected, the loader deletes each the msidiskserver registry key and the fsdiskbit.sys file. After this, the loader is finished and exits.
DriverLoader driver
Earlier than leaping to DriverLoader’s performance, one vital word: with the discharge of Home windows Vista, Microsoft launched driver signature enforcement (DSE), a characteristic guaranteeing that solely validly signed kernel-mode parts are allowed to be executed within the Home windows kernel. Which means to execute the fsdiskbit.sys driver (DriverLoader), attackers have to signal it with a trusted certificates.
To make the driving force work on a minimum of some outdated or misconfigured methods, the attackers used a leaked certificates out there on GitHub within the PastDSE undertaking repository, and signed the fsdiskbit.sys driver with it. Details about the certificates used may be present in Determine 7.
Now to the performance. The aim of this part is sort of simple: to load one other driver, this time in reminiscence solely. First, it reads and decrypts the contents of the C:WindowsFontsKW1B5206BDC1743FP.dat file, beforehand created by the loader. It makes use of the identical algorithm and key as utilized by the loader: 128-bit AES in ECB mode with the important thing uXQLESMXGaRMs6BL. The decrypted knowledge accommodates a local PE binary (described within the RawWNPF driver part), which is then manually mapped and its entry level executed.
There may be the PDB path embedded within the DriverLoader binary:
C:UsersxddDesktop今天2023-4-112023‑04‑10__注册表驱动加载功能__集成到内测3中-未完成DriverMemoryLoadDriverx64ReleaseDriverMemoryLoadDriver.pdb
The components in simplified Chinese language machine translate as:
- 今天: Immediately
- 注册表驱动加载功能__集成到内测3中-未完成: Registry driver loading function__is built-in into inner beta 3-not accomplished
As we will see within the symbols path, this part appears to have been in improvement a minimum of since April 2023, which aligns with DriverLoader’s compilation timestamp. Equally, strings within the path counsel that the undertaking this driver is a part of was possible nonetheless in improvement when the driving force was compiled.
RawWNPF driver
The RawWNPF driver is the part that makes the WIN_DRV model of the SprySOCKS backdoor a lot stealthier when in comparison with the WIN_PLUS variant. It permits hiding the backdoor’s malicious exercise on the compromised system, and may be configured by invoking the driving force’s customized I/O management codes (IOCTLs). The driving force creates a tool driver named DeviceRawWNPF; an inventory of the out there IOCTLs, with brief descriptions, is proven in Desk 1.
Desk 1. Listing of IOCTLs dealt with by the RawWNPF driver
| IOCTL | Description |
| 0x220200 | Configure the driving force to cover energetic community connections to and from the required native TCP port. |
| 0x220300 | Unhide the community connections configured with 0x220200. |
| 0x220340 | Insert an entry into the hidden connections listing. |
| 0x220344 | Take away an entry from the hidden connections listing. |
| 0x220348 | Wipe the entire hidden connections listing. |
| 0x22034C | Learn the hidden connections listing. |
| 0x220350 | Insert a course of with a specified PID into the hidden processes listing. |
| 0x220354 | Take away a course of with a specified PID from the hidden processes listing. |
| 0x220358 | Wipe the entire hidden processes listing. |
| 0x22035C | Learn the hidden processes listing. |
| 0x222000 | Initialize the driving force’s foremost features (hiding community connections, hiding processes, hiding malware parts, community filters, persistence safety). After this initialization, different IOCTLs can be utilized to configure what precisely ought to be hidden. |
| 0x222004 | Returns two hardcoded DWORD values: 1 and 2. This probably might be the driving force’s model. |
| 0x222008 | Delete the driving force’s binary (if it exists). |
Hiding specified processes
The RawWNPF driver may be configured to cover processes based mostly on their course of IDs, and an inventory of hidden processes may be managed by invoking the driving force’s IOCTLs 0x220358, 0x22035C, 0x220354, and 0x220350. To cover a course of, the driving force hooks execution of the NtQuerySystemInformation system name and modifies its output if details about operating processes is being retrieved (i.e., if SystemProcessInformation is handed to the SystemInformationClass parameter). If any of the processes retrieved by this API perform match a course of from the driving force’s listing of hidden processes, the driving force removes this course of from the perform’s output. The way in which the kernel driver hooks the NtQuerySystemInformation system name appears to be closely based mostly on supply code from the InfinityHookPro undertaking.
Hiding community exercise
The driving force may be configured to cover particular energetic connections (with a specified IP, port, or mixture of each) in order that they received’t be listed within the output of widespread community administration instruments equivalent to netstat.exe. That is achieved by a widely known method (e.g., [1], [2], [3], … ), the place attackers hook IoCompletionRoutine for IOCTL 0x12001B contained in the DeviceIoControl perform of the nsiproxy.sys Home windows kernel driver. The code inside nsiproxy’s 0x12001B IOCTL handler is answerable for retrieving the listing of energetic connections, and hooking its IoCompletionRoutine permits attackers to stroll by way of the retrieved listing, examine for the presence of particular ports, addresses, or each, and conceal the particular connection within the listing if a match is discovered. Determine 8 exhibits the hook perform answerable for hiding community connections.
Along with the hiding of energetic community connections, the driving force accommodates an fascinating performance permitting it to divert TCP packets obtained on any open TCP port, to the required TCP port configured by the IOCTL 0x220200 (it’s really the port of the SprySOCKS backdoor’s TCP server), however solely within the case that the TCP knowledge obtained accommodates specifically crafted knowledge. To attain this, the driving force registers its personal packet filter objects utilizing Home windows Filtering Platform (WFP) API features, manually parses contents of transferred IPv4 packets (each inbound and outbound visitors is inspected), and proceeds to divert the visitors if the specifically crafted knowledge is detected inside a obtained TCP packet knowledge. The aim of this characteristic appears to be primarily a functionality to contact the malicious backdoor with out the necessity to embed a C&C handle contained in the binary. Moreover, regardless that such diverted visitors may be inspected utilizing instruments equivalent to Wireshark, the actual port (the one the visitors is diverted to) just isn’t revealed; thus it may be tough to analyze the actual vacation spot for this malicious visitors.
Put in packet filters, together with their figuring out data, are listed in Desk 2.
Desk 2. WFP filter objects registered by the RawWNPF driver
| Filter layer title | Filter object title and GUID | Filter object callout title and GUID |
| Inbound IP Packet v4 Layer | Supply Optimization (TCP-In) {E980088D-BE44-4057-8E5C-C7FDF8968795} |
COInbound {DE0D7F67-94ED-4DDB-8215-9C028B54661B} |
| Outbound IP Packer v4 Layer | Supply Optimization (TCP-Out) {33F76397-DBCB-445E-8EC3-AA51ED302D15} |
COOutbound {8280DDF3-7489‑4402-B9D8-96B50912346B} |
| ALE Join v4 Layer | Supply Optimization (TCP-In) {5746AF70-2917‑4861-97E6-D5E4DD569F2D} |
COAuthConnect {A33E1AA8-9B0F-44A3-B24A-AEB04CA54C3B} |
| ALE Hear v4 Layer | Supply Optimization (TCP-In) {7CB4DFB4-0D20-402D-A49D-BA9660D026E6} |
COAuthListen {40045FAF-6BAE-4B48-9119‑31B48FFEA629} |
| ALE Obtain/Settle for v4 Layer | Supply Optimization (TCP-In) {2C1AB6EF-0B65-4634‑8666-BCB2CF9C72E9} |
COAuthAccept {DDFE5189‑389F-437F-9B92-59495ED2181A} |
| ALE ResourceAssignment v4 Layer | Supply Optimization (TCP-In) {B4AE248F-98D5-446F-88EB-14CF605AE722} |
COAuthResAssignment {FE570356-A1A9-413C-94CC-BD6C448E9969} |
Hiding the backdoor’s recordsdata
The driving force hides/protects the SprySOCKS backdoor’s recordsdata by registering itself as a minifilter driver, and putting in the next callbacks:
- pre-operation callback triggered on each IRP_MJ_CREATE I/O request and answerable for returning STATUS_NO_SUCH_FILE on each try to create or open a file or a listing from the driving force’s listing of hidden/protected recordsdata,
- pre-operation callback triggered on each IRP_MJ_DIRECTORY_CONTROL I/O request and answerable for filtering out non-directory-enumeration associated requests, in order that solely those associated to listing enumeration are handed to the post-operation callback, and
- post-operation callback triggered on IRP_MJ_DIRECTORY_CONTROL I/O requests that handed pre-operation callback checks. This callback is answerable for eradicating entries of hidden/protected recordsdata from any listing itemizing makes an attempt.
The next hardcoded listing of filenames are protected by the driving force:
- SystemRootFontstpsvc.dll
- SystemRootFontstpsvcloc.dll
- SystemRootFontsApphostRagistreationVerifier.exe
- SystemRootFontsX1B5206BDC1743DD.dat
- SystemRootFontsKX1B5206BDC1743DD.dat
- SystemRootFontsKW1B5206BDC1743FP.dat
Defending persistence
The driving force calls CmRegisterCallbackEx to put in a RegistryCallback routine answerable for hiding the registry key used for the SprySOCKS loader’s persistence: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exe. Consequently, all makes an attempt to open or enumerate the important thing are filtered out by the driving force.
WIN_PLUS parts
Within the SprySOCKS WIN_PLUS model, we first found the malicious encrypted container in our telemetry, with the primary hit relationship again to July 2024 discovered on the system of a sufferer in Pakistan. It contained the SprySOCKS backdoor and the SprySOCKS loader. The C&C configuration was current and is proven in Determine 9.
The encrypted container was situated on the following path on the compromised system:
C:WindowsSystem32spooldriverscolorconfig.dat
When decrypted, the container accommodates a SprySOCKS loader and the SprySOCKS backdoor itself. Additional evaluation of the SprySOCKS backdoor from the container confirmed that, on this case, there gave the impression to be an extra part answerable for loading the SprySOCKS loader from the encrypted container. This part – referenced to because the first-stage loader on this evaluation – ought to be put in as a print processor underneath the next registry key:
HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg
Apparently, once we searched our telemetry for something associated to this VSPMsg string, we found a file deployed on two totally different sufferer gadgets from Honduras at C:WindowsSystem32spoolprtprocsx64VSPMsg.dll. This file turned out to be the first-stage loader answerable for executing the SprySOCKS loader from the aforementioned config.dat file.
An execution diagram of the SprySOCKS WIN_PLUS variant is illustrated in Determine 10.
First-stage loader
This loader begins by checking whether or not it was executed by spoolsv.exe, and exits if not; this hides its conduct from automated malware evaluation sandboxes, because the loader is meant to be run as a print processor. It continues decrypting the SprySOCKS loader from the encrypted container C:WindowsSystem32spooldriverscolorconfig.dat. First it 128-bit AES-ECB decrypts the loader with the hardcoded key uXQLESMXGaRMs6BL, then injects it into the newly created svchost.exe course of by way of course of doppelgänging. In the meantime, the SprySOCKS loader is dropped into a brief file, with a filename prefix of TH, inside the %TEMP% listing.
The pattern exports two features:
- GetErrorMessageModule
- SetErrorMessageModule
Whereas the SetErrorMessageModule perform doesn’t do something, the GetErrorMessageModule perform is supposed for use to set persistence for the loader itself. When executed, it registers the loader as a print processor by creating the HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg registry key, setting the Driver registry worth to VSPMsg.dll, and copying the hardcoded C:ProgramDataMicrosoft EventPFsVSPMsg.dll to the C:WindowsSystem32spoolprtprocsx64 listing. As the subsequent step, it copies the encrypted container from C:ProgramDataMicrosoft EventPFsconfig.dat to C:WindowsSystem32spooldriverscolorconfig.dat and, when accomplished, it generates and drops the affair-build.bat batch script into the C:WindowsSystem32spooldriverscolor listing and executes it. As proven in Determine 11, this script’s function is to cowl the loader’s tracks by eradicating the recordsdata within the unique deployment listing, and triggering execution of the newly put in print processor by restarting the print spooler service.
SprySOCKS loader
This loader begins by making a mutex with the hardcoded title fqwhi2d1qaz2, after which proceeds to loading the SprySOCKS backdoor from the encrypted container situated at C:WindowsSystem32spooldriverscolorconfig.dat. It 128-bit AES-ECB decrypts the backdoor with the hardcoded key uXQLESMXGaRMs6BL, then injects it into the newly created svchost.exe course of by way of course of doppelgänging. In the meantime, the SprySOCKS loader is dropped into a brief file, with a filename prefix of TH, inside the %TEMP% listing.
SprySOCKS backdoor
Lastly, we proceed to our evaluation of the SprySOCKS backdoor itself. In each variants, WIN_DRV and WIN_PLUS, the backdoor performance is nearly the identical, and the variations are solely within the particular file paths used, registry keys used, and as already talked about, the WIN_PLUS model doesn’t use the RawWNPF driver for superior stealthiness.
Each variants analyzed on this report are DLLs with the unique title PrcsServer.dll, exporting a perform named Cease. They create a mutex named prcs-server-run at first and proper after that proceed to the initialization of the backdoor’s foremost performance, which incorporates initialization and launching of C&C communication channels (based mostly on the hardcoded configuration) and establishing the keylogger. Along with these actions, the WIN_DRV backdoor model initializes the RawWNPF driver by invoking its 0x222000 IOCTL handler, after which hides its personal course of by invoking the driving force’s 0x220350 IOCTL.
Keylogging is activated provided that there may be an present INI file at %appdatapercentMicrosoftVaultlgf.dat that accommodates a config part with a property named key that’s set to 1. If these situations are met, each backdoors create a mutex named World{DCAA7ED8-521B-4EAB-BE21-65254CF59239} and periodically log clipboard knowledge together with the energetic window title and keystrokes into the file %appdatapercentMicrosoftVaultlg.dat. The information within the file is encrypted utilizing a single-byte XOR cipher with the important thing 0x44.
C&C communication
The backdoor helps three protocols for communication with the C&C – TCP, UDP, and WebSocket – and might act as each shopper and server. The networking-related performance is closely based mostly on the HP-Socket networking framework, and a few cryptography features had been carried out utilizing the Crypto++ library.
The C&C configuration is embedded within the backdoor, and might include:
- as much as three IP addresses and related ports, every specifying a C&C IP handle and its port for one of many communication channels (TCP, UDP, or WebSocket), and
- as much as three port numbers, every specifying a port the backdoor ought to hear on for brand new connections. One is used for a TCP server, one for a UDP server, and one for a WebSocket server.
An instance configuration from the WIN_PLUS model is proven in Determine 9 and it accommodates:
- The C&C handle and port for the TCP communication channel: 207.148.78[.]36:443.
- The C&C handle and port for the UDP communication channel: 207.148.78[.]36:53.
- The C&C handle and port for the WebSocket communication channel: 207.148.78[.]36:80.
- The backdoor’s TCP server listening port: 53781.
Earlier than initiating any connections or beginning a server, the SprySOCKS WIN_DRV model hides any connections from/to the addresses or ports from the configuration by invoking the RawWNPF driver’s IOCTLs 0x220340 and 0x220200. Consequently, these connections received’t be listed in output of instruments equivalent to netstat.exe, regardless of being energetic. As well as, each backdoor variations execute the netsh.exe utility twice:
netsh.exe netsh advfirewall firewall delete rule title=”Core Networking – Packet Too Huge(ICMPv6 – In)”
netsh advfirewall firewall add rule title=”Core Networking – Packet Too Huge(ICMPv6 – In)” dir=in motion=enable protocol=tcp localport=53781
The primary command deletes a specified firewall rule, and the second provides a brand new firewall rule of the identical title because the one simply deleted, permitting all inbound TCP visitors despatched to the backdoor’s TCP server port specified within the configuration.
If the C&C configuration is empty (as within the case of the WIN_DRV model we found on VirusTotal), the backdoor begins a TCP server that listens on a random port on the compromised machine and likewise hides this port by invoking the RawWNPF driver’s IOCTL 0x220200. This invocation not solely hides the TCP server from being listed in commonplace networking instruments’ output, but additionally prompts the TCP-diverting characteristic supplied by the RawWNPF driver. This characteristic permits attackers to ship instructions to the backdoor with out understanding the actual port the backdoor listens on, just by sending specifically crafted TCP knowledge to any open TCP port on the sufferer’s machine.
For the TCP communication channel, the C&C protocol appears to stay the identical as within the Linux model analyzed in Development Micro’s report. Every time earlier than sending the precise backdoor’s knowledge, it sends a 12-byte header containing the 32-bit CRC of the remainder of the header, a DWORD magic worth 0xACACBCBC, and a DWORD specifying the dimensions of the info that follows the header.
For the UDP and WebSocket channels, the magic values are totally different, and so are the message header format and dimension. For the UDP channel, the magic worth is 0xACACBFBC and it’s situated at offset 0x1C in a 36-byte header, adopted by a DWORD specifying the dimensions of the info that follows. Within the WebSocket channel, the magic worth 0x1BDCCBAA is used as a Masking-Key within the WebSocket header. Determine 12 exhibits a community visitors seize with the magic values for every of the communication channels.
Following the header is, once more, a 32-bit CRC, then the WORD worth 0x0003 (possible indicating the encryption methodology), adopted by 128-bit AES-ECB mode encrypted knowledge (utilizing the hardcoded key QFTHEYjzX3RBOMgZ) that has been base64 encoded.
An instance of a C&C message earlier than and after decoding and decryption is proven in Determine 13.
The __msgid worth within the decrypted C&C message is used to specify a command, recognized by a message ID, that ought to be executed by the backdoor. The listing of message IDs supported by the backdoor, together with their description, may be present in Desk 3. Word that we haven’t analyzed all these instructions in depth; due to this fact, some descriptions are only a tough overview of the a part of the code/performance the message ID is said to.
Desk 3. SprySOCKS C&C instructions; descriptions marked with * are tentative assessments
| Message ID | Description |
| 0x09 | Accumulate shopper (sufferer) system data, together with: laptop title, OS model, community adapter data, details about reminiscence, CPU data, present privileges, system language and model, present time, and the backdoor model (1.8) and model kind (WIN_DRV or WIN_PLUS). |
| 0x0A | Begin an interactive console. |
| 0x0B | Write into the interactive console. |
| 0x0D | Cease the interactive console. |
| 0x0E | Specify an extra communication channel (don’t begin the channel). Prone to specify an extra backup C&C. |
| 0x0F | Ship C&C message to a distinct goal.* |
| 0x11 | Enumerate all processes. |
| 0x12 | Enumerate modules of a course of specified by a PID. |
| 0x13 | Terminate a course of specified by a PID. |
| 0x14 | Shut all connections. |
| 0x16 | Get present communication channel data. |
| 0x17 | Specify further communication channels (TCP, UDP, or WebSocket) and begin them. |
| 0x19 | Uninstall the backdoor and exit. |
| 0x1E | Enumerate all companies. |
| 0x1F | Configure StartType for a specified service. |
| 0x20 | Begin companies with a specified title. |
| 0x21 | Invoke the ControlService perform with a specified dwControl parameter. |
| 0x22 | Delete a specified service from the service supervisor. This doesn’t cease the service if it’s operating. |
| 0x23 | Initialize SOCKS proxy. |
| 0x24 | Terminate SOCKS proxy.* |
| 0x25 | Ship knowledge by way of SOCKS proxy. |
| 0x26 | SOCKS proxy-related command.* |
| 0x2A | Add a specified file.* |
| 0x2B | File-transfer-related helper command.* |
| 0x2C | Obtain a specified file.* |
| 0x2D | File-transfer-related helper command.* |
| 0x3C | Enumerate free disk area. |
| 0x3D | Listing recordsdata within the specified listing. |
| 0x3E | Delete a specified file. |
| 0x3F | Create a specified listing. |
| 0x40 | Rename a specified file. |
| 0x41 | Execute an present file. |
| 0x42 | Copy a specified file. |
| 0x43 | Listing recordsdata from the Current Home windows directories for the logged-in person: %APPDATApercentMicrosoftWindowsRecent %APPDATApercentMicrosoftOfficeRecent |
Community infrastructure
Just one C&C handle has been found on this marketing campaign: 207.148.78[.]36, hardcoded within the configuration (proven in Determine 9) of the WIN_PLUS variant of the SprySOCKS backdoor.
Ports from the configuration that ought to be utilized by the backdoor to speak with the C&C:
- TCP: 443
- UDP: 53
- WebSocket: 80
As talked about in Development Micro’s report, the IP handle 207.148.75[.]122, from the identical IP vary 207.148.64.0/20 because the C&C above, was utilized by FishMonger operators as a SprySOCKS supply server in June 2023. This IP vary belongs to the Vultr cloud internet hosting supplier.
Conclusion
The invention of a Home windows variant of SprySOCKS, beforehand referred to as Linux-only backdoor, represents a significant growth of FishMonger’s cross-platform capabilities. Our evaluation exhibits that the Home windows port retains a lot of the core structure of its Linux predecessor – together with the C&C protocol, encryption used, and total command dealing with logic – whereas substituting Home windows-native mechanisms the place required and enhancing the stealthiness of the backdoor by bringing the kernel drivers to the sport. Contemplating the restricted indications of doable UEFI bootkit involvement, we advise everybody to maintain a detailed eye on the group’s actions.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis gives personal APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
Recordsdata
| SHA‑1 | Filename | Detection | Description |
| 955BFC3DCC867256F9F4 |
KX1B5206BDC |
Win64/SprySOCKS.A | Encrypted SprySOCKS DriverLoader driver. |
| 44DC4A08C5EB0972C8E1 |
bthcam.sys | Win64/Agent.ESB | SprySOCKS DriverLoader driver. |
| AB87B29B6F79487C75CA |
KW1B5206BDC |
Win64/SprySOCKS.A | Encrypted SprySOCKS RawWNPF driver. |
| 6490B8E4AADE25A3EE2D |
X1B5206BDC1 |
Win64/SprySOCKS.A | Encrypted container of the encrypted WIN_DRV variant of SprySOCKS backdoor, encrypted SprySOCKS RawWNPF and SprySOCKS DriverLoader drivers. |
| E7484C24B88A1A2407A8 |
klelam00007 |
Win64/Agent.CXZ Win64/SprySOCKS.A BAT/Runner.KS |
ZIP archive from VirusTotal containing the WIN_DRV variant of SprySOCKS, together with all of the backdoor’s parts; clear binaries used for side-loading are included. |
| 621D1952839BE4B0A1B0 |
tpsvcloc.dll | Win64/Agent.CXZ | SprySOCKS loader. |
| 2457EED2AB28E37741F1 |
VSPMsg.dll | Win64/Agent.CXZ | First-stage loader answerable for launching the SprySOCKS loader. |
| D2C706B1EAF662BF0CE1 |
N/A | Win64/SprySOCKS.A | WIN_PLUS variant of the SprySOCKS backdoor. |
| 5F3B87CEF56683D9A9E1 |
N/A | Win64/Agent.CXZ | SprySOCKS loader. |
| C793CA31E3F6628B5C89 |
config.dat | Win64/SprySOCKS.A | Encrypted container of the WIN_PLUS variant of the SprySOCKS backdoor and its loader. |
| 037DB2445F3D72388CB2 |
N/A | BAT/Runner.KS | Batch script that persists the WIN_DRV variant of SprySOCKS. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| 207.148.78[.]36 | N/A | IRT‑CHOOPALLC‑AP | N/A | C&C IP hardcoded within the SprySOCKS backdoor (WIN_PLUS variant). |
MITRE ATT&CK strategies
This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.
| Tactic | ID | Title | Description |
| Reconnaissance | T1592.004 | Collect Sufferer Host Info: Consumer Configurations | SprySOCKS can acquire details about the compromised system, together with: laptop title, OS model, details about reminiscence and CPU, present privileges, system language and model, present time, and extra. |
| T1590.005 | Collect Sufferer Community Info: IP Addresses | SprySOCKS can acquire details about the compromised system, together with details about community interfaces and assigned IP addresses. | |
| Useful resource Growth | T1587.001 | Develop Capabilities: Malware | FishMonger has developed customized malware for its operations, together with the SprySOCKS backdoor. |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | SprySOCKS can launch an interactive cmd.exe command shell, which permits the attackers to execute instructions remotely on the compromised machine. |
| T1053.005 | Scheduled Activity/Job: Scheduled Activity | SprySOCKS makes use of a scheduled process to execute its loader on system begin. | |
| T1569.002 | System Companies: Service Execution | SprySOCKS abuses system companies for each one-time and chronic execution. | |
| T1106 | Native API | FishMonger has used Home windows APIs to execute code inside a sufferer’s system. | |
| Persistence | T1547.012 | Boot or Logon Autostart Execution: Print Processors | To attain persistence, FishMonger installs its malicious loader as a print processor. |
| Privilege Escalation | T1546.012 | Occasion Triggered Execution: Picture File Execution Choices Injection | SprySOCKS can set up itself as a debugger for the Digital Disk Service by modifying HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger. |
| Stealth | T1205.002 | Site visitors Signaling: Socket Filters | SprySOCKS makes use of the RawWNPF kernel driver to put in packet filters able to redirecting any inbound TCP visitors to the configured native port if a particular magic worth is detected within the packet. |
| T1134.002 | Entry Token Manipulation: Create Course of with Token | FishMonger makes use of CreateProcessAsUser to execute a brand new course of with a token obtained from the print spooler service. | |
| T1622 | Debugger Evasion | SprySOCK’s RawWNPF driver makes use of the KdDisableDebugger perform to disable the kernel debugger, if energetic. | |
| T1140 | Deobfuscate/Decode Recordsdata or Info | SprySOCKS loader decrypts the SprySOCKS backdoor from an encrypted file. Moreover, a lot of the strings within the SprySOCKS parts are encrypted. | |
| T1070.004 | Indicator Elimination: File Deletion | The SprySOCKS loader removes unique recordsdata from the deployment listing after copying them and establishing persistence. | |
| T1070.009 | Indicator Elimination: Clear Persistence | SprySOCKS loader removes a service registry worth related to the beforehand put in malicious minifilter driver after executing the driving force. | |
| T1027.007 | Obfuscated Recordsdata or Info: Dynamic API Decision | SprySOCKS parts use dynamic API decision. | |
| T1027.013 | Obfuscated Recordsdata or Info: Encrypted/Encoded File | SprySOCKS parts are saved in an AES-encrypted file on the sufferer’s drive. | |
| T1055.013 | Course of Injection: Course of Doppelgänging | The SprySOCKS loader makes use of course of doppelgänging to inject the backdoor into the svchost.exe course of. | |
| T1014 | Rootkit | FishMonger makes use of the RawWNPF kernel driver, which serves as a rootkit answerable for hiding the SprySOCKS malicious exercise. | |
| T1497 | Virtualization/Sandbox Evasion | SprySOCKS makes use of a number of anti-emulation strategies to forestall automated evaluation by emulators or sandboxes. | |
| T1574.002 | Hijack Execution Move: DLL Aspect-Loading | FishMonger makes use of DLL side-loading to execute the SprySOCKS backdoor. | |
| Protection Impairment | T1562.004 | Disable or Modify System Firewall | SprySOCKS provides a firewall rule permitting any inbound visitors despatched to the backdoor’s listening port. |
| Discovery | T1010 | Software Window Discovery | SprySOCKS retrieves the energetic foreground window title as part of its keylogging performance. |
| T1083 | File and Listing Discovery | SprySOCKS can acquire file and listing listings from the compromised system. | |
| T1518.001 | Software program Discovery: Safety Software program Discovery | SprySOCKS parts examine for the presence of safety and sandboxing product libraries (snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, SbieDll.dll, and cmdvrt32.dll) in their very own processes. | |
| T1082 | System Info Discovery | SprySOCKS can acquire details about the compromised system, together with: laptop title, OS model, details about reminiscence and CPU, present privileges, system language and model, present time, and extra. | |
| T1614.001 | System Location Discovery: System Language Discovery | SprySOCKS can acquire details about the compromised system, together with system language. | |
| T1007 | System Service Discovery | SprySOCKS can enumerate all companies on the system. | |
| T1124 | System Time Discovery | SprySOCKS can acquire details about the compromised system, together with present system time. | |
| Assortment | T1056.001 | Enter Seize: Keylogging | SprySOCKS implements a keylogger. |
| T1115 | Clipboard Information | SprySOCKS logs clipboard knowledge, together with the captured keystrokes, as part of its keylogging performance. | |
| Command and Management | T1132.001 | Information Encoding: Commonplace Encoding | SprySOCKS makes use of base64 encoding in its customized C&C communication protocol. |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | SprySOCKS encrypts knowledge despatched to, and decrypts knowledge obtained from, the C&C with 128-bit AES. | |
| T1008 | Fallback Channels | Along with the TCP communication channel, SprySOCKS can contact its C&C utilizing UDP and WebSocket channels. | |
| T1665 | Cover Infrastructure | SprySOCKS’s RawWNPF driver hides the backdoor’s energetic connections from being enumerated when utilizing community instruments equivalent to netstat.exe. | |
| T1571 | Non-Commonplace Port | SprySOCKS makes use of nonstandard ports to speak with the C&C. | |
| T1095 | Non-Software Layer Protocol | SprySOCKS makes use of nonstandard protocols to speak with the C&C. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | SprySOCKS can add varied recordsdata from the compromised system to the C&C. |
