FishMonger’s arsenal upgraded: SprySOCKS for Windows

ESET researchers have discovered two as-yet undocumented Windows variants of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger, the group believed to be operated by a Chinese contractor named I‑SOON. While we initially discovered the malware samples on VirusTotal, ESET telemetry shows real activity between 2023 and 2024, with several victims in Honduras, Taiwan, Thailand, and Pakistan, targeting mostly government organizations. The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS. Both come with a hardcoded C&C configuration and support communication over TCP, UDP, and WebSocket protocols. The core backdoor functionality for both includes support for over 30 C&C commands, covering various functionalities including system information collection, process enumeration, as well as service management and file management functions such as listing, creating, deleting, and transferring files. In addition to the core backdoor functionality, the WIN_DRV version utilizes kernel drivers to hide the malware’s network connections, processes, files, and registry keys, and enables TCP traffic diversion allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor's real listening port in the network traffic. Based on ESET telemetry, there are limited indications that some SprySOCKS attack scenarios may involve a UEFI bootkit component, possibly exploiting CVE‑2023‑24932. The analysis provided in this report leads us to attribute these new, Windows variants to FishMonger with high confidence. Key points of this blogpost: - We discovered two previously undocumented Windows variants of FishMonger’s SprySOCKS backdoor. - ESET telemetry shows activity between 2023 and 2024, primarily targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan. - Both Windows variants support communication over TCP, UDP, and WebSocket protocols, and implement over 30 commands. - The WIN_DRV variant creates a stealthy passive TCP backdoor, relying on a kernel driver to redirect traffic to the backdoor’s hidden TCP port whenever specially crafted data is detected inside a received TCP packet. FishMonger profile FishMonger – believed to be operated by a Chinese contractor named I‑SOON (see our Q4 2023–Q1 2024 APT Activity Report) – is a cyberespionage group that falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu. It is also known as Earth Lusca, TAG-22, Aquatic Panda, or Red Dev 10. We published an analysis of FishMonger in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. The group is also known to operate watering-hole attacks, as reported by Trend Micro. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT. Technical analysis In this section, we provide a technical analysis of these new, Windows variants of FishMonger’s SprySOCKS backdoor. The archive that led us to this discovery was uploaded to VirusTotal in April 2024 under the name klelam00007.zip; its contents are shown in Figure 1. This archive contains various files, including legitimate ones used to host DLL side-loading, and three suspicious-looking, encrypted files with .dat extensions. Our subsequent analysis revealed that these encrypted files contain a new, previously undocumented Windows variant of FishMonger’s SprySOCKS backdoor, labeled WIN_DRV by its developers. Further investigation revealed an additional backdoor version, labeled WIN_PLUS, in ESET Telemetry. Initial access FishMonger has been known for targeting the public-facing servers of its victims, often exploiting server-based N-day vulnerabilities, to gain initial access. While we were not able to confirm the exact way FishMonger got into its victims’ systems in this campaign, the presence of a server operating system on some of the victim devices along with FishMonger’s typical modus operandi suggest that the attackers may well have got in through misconfigured or unpatched public-facing applications. SprySOCKS for Windows In September 2023, Trend Micro published a report about a new FishMonger Linux backdoor that its analysts named SprySOCKS. The code of the backdoor is based on an open-source Windows remote access trojan (RAT) named Trochilus, and shares several common characteristics with the RedLeaves backdoor; nevertheless, it was extended and modified enough to be considered a new backdoor. In this report, we analyze two as yet undisclosed Windows variants of v1.8 of SprySOCKS: - One has been named WIN_DRV by its developers and uses a kernel driver for advanced stealth. - Another, without the driver, is named WIN_PLUS. As shown in Figure 2, the backdoor version type and number are hardcoded in the binary. The vast majority of artifacts and functionality present in the Linux version of the SprySOCKS backdoor introduced in Trend Micro’s report can also be found in the newly discovered Windows SprySOCKS variants described in this report. These include: - the same C&C message format, - very similar C&C commands (plus some additional ones), - the same encryption keys and algorithms, and - the use of the same statically linked networking library (HP-Socket). For both of these new SprySOCKS variants, the core backdoor functionality involving C&C communication and available commands is very similar. The most notable differences can be spotted in the way the final backdoor is loaded, in the improved stealthiness, and in the component names and paths used. In the following subsections, we first analyze components involved in the execution chain of individual SprySOCKS variants, and then we describe the backdoor component, which is mostly the same for both variants. WIN_DRV components In an archive uploaded to VirusTotal, we discovered the WIN_DRV version of SprySOCKS, which comes with an empty C&C configuration. As a result, this version does not actively contact any remote addresses; however, it is still capable of launching a TCP server on a random port on the victim’s device, thus acting as a passive backdoor. Interestingly, the attackers don’t need to know this server’s TCP port number because, as explained later, the RawWNPF driver used by the WIN_DRV version allows silent diversion – to the backdoor itself – of TCP traffic received on any open port (more in the RawWNPF driver section). As shown in Figure 1, the archive containing the WIN_DRV version of SprySOCKS contains several files: - klelam00007.bat – a batch script responsible for persisting the backdoor. As shown in Figure 3, it: ○ copies all files from the current working directory into the %SystemRoot%\Fonts directory (to function properly, the batch file needs to be deployed in the same directory as the rest of the files from the archive), ○ creates a scheduled task named ApphostRagistreationVerifier, configured to execute ApphostRagistreationVerifier.exe (which is a legitimate, validly signed executable, renamed by the attackers to mimic the legitimate Microsoft-signed AppHostRegistrationVerifier.exe) with NT AUTHORITY\SYSTEM privileges on every system start. The attackers use the well-known DLL side-loading technique, taking advantage of the way Windows loads DLLs, to load their own malicious DLL (in this case tpsvcloc.dll) by using a legitimate, signed application. To be specific, in this case the attackers use Malware Sideloading via MFC Satellite DLLs technique (note the loc string in the tpsvcloc.dll filename), - ApphostRagistreationVerifier.exe – a legitimate, ThinPrint’ AutoConnect printer creation service signed executable (SHA‑1: FFC3AA7909D4E72C360D65A1F45260DFFE5C99B7) that loads the tpsvc.dll library, - tpsvc.dll – a legitimate, signed library that loads the tpsvcloc.dll library, - tpsvcloc.dll – the SprySOCKS backdoor loader, - X1B5206BDC1743DD.dat – an encrypted container comprising the SprySOCKS backdoor and copies of the next two files, - KX1B5206BDC1743DD.dat – DriverLoader, an encrypted kernel driver responsible for loading another kernel driver from KW1B5206BDC1743FP.dat, and - KW1B5206BDC1743FP.dat – RawWNPF, an encrypted kernel driver responsible for hiding the backdoor’s files and network activity. Figure 4 depicts the execution chain of the SprySOCKS WIN_DRV variant. The following three subsections provide technical analyses of the aforementioned components: SprySOCKS loader, DriverLoader driver, and RawWNPF driver. SprySOCKS loader The loader starts with initial checks for the presence of a virtual environment and a few security products. It looks for specific libraries (namely: snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, and SbieDll.dll) in the loader’s process, and exits if it finds any of them. As the next step, it verifies whether persistence was set successfully by the klelam00007.bat script, from Figure 3. To do so, it checks whether the current loader’s image was loaded from the %SystemRoot%\Fonts\ directory, and tries to access the %SystemRoot%\Fonts\X1B5206BDC1743DD.dat, %SystemRoot%\Fonts\tpsvc.dll, and %SystemRoot%\Fonts\tpsvcloc.dll files. If it finds that any of these files are not where they are supposed to be, it sets up persistence on its own by: - copying X1B5206BDC1743DD.dat, tpsvc.dll, tpsvcloc.dll, and ApphostRagistreationVerifier.exe from the current working directory into the %SystemRoot%\Fonts\ directory, - registering the %SystemRoot%\Fonts\ApphostRagistreationVerifier.exe application as a debugger for vds.exe (a Virtual Disk Service that can be automatically executed on system start) by writing the application’s path into the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe\debugger, and - dropping the affair-build.bat file into the %SystemRoot%\Fonts\ directory and then executing it via cmd.exe. This script, shown in Figure 5, clears tra