0.4 C
Canberra
Saturday, July 18, 2026

FishMonger’s arsenal upgraded: SprySOCKS for Home windows


ESET researchers have found two as-yet undocumented Home windows variants of SprySOCKS, a beforehand Linux-only backdoor reportedly utilized by FishMonger, the group believed to be operated by a Chinese language contractor named I‑SOON. Whereas we initially found the malware samples on VirusTotal, ESET telemetry exhibits actual exercise between 2023 and 2024, with a number of victims in Honduras, Taiwan, Thailand, and Pakistan, focusing on principally authorities organizations.

The Home windows variants found are internally marked as WIN_DRV and WIN_PLUS. Each include a hardcoded C&C configuration and assist communication over TCP, UDP, and WebSocket protocols. The core backdoor performance for each consists of assist for over 30 C&C instructions, overlaying varied functionalities together with system info assortment, course of enumeration, in addition to service administration and file administration features comparable to itemizing, creating, deleting, and transferring information.

Along with the core backdoor performance, the WIN_DRV model makes use of kernel drivers to cover the malware’s community connections, processes, information, and registry keys, and permits TCP site visitors diversion permitting the malware operators to ship instructions to the backdoor via a random TCP port on the sufferer’s system with out exposing the backdoor’s actual listening port within the community site visitors.

Primarily based on ESET telemetry, there are restricted indications that some SprySOCKS assault eventualities might contain a UEFI bootkit element, presumably exploiting CVE‑2023‑24932.

The evaluation supplied on this report leads us to attribute these new, Home windows variants to FishMonger with excessive confidence.

Key factors of this blogpost:

  • We found two beforehand undocumented Home windows variants of FishMonger’s SprySOCKS backdoor.
  • ESET telemetry exhibits exercise between 2023 and 2024, primarily focusing on authorities organizations in Honduras, Taiwan, Thailand, and Pakistan.
  • Each Home windows variants assist communication over TCP, UDP, and WebSocket protocols, and implement over 30 instructions.
  • The WIN_DRV variant creates a stealthy passive TCP backdoor, counting on a kernel driver to redirect site visitors to the backdoor’s hidden TCP port at any time when specifically crafted knowledge is detected inside a acquired TCP packet.

FishMonger profile

FishMonger – believed to be operated by a Chinese language contractor named I‑SOON (see our This fall 2023–Q1 2024 APT Exercise Report) – is a cyberespionage group that falls below the Winnti Group umbrella and is almost definitely working out of China, from the town of Chengdu. It is usually often called Earth Lusca, TAG-22, Aquatic Panda, or Purple Dev 10. We revealed an evaluation of FishMonger in early 2020 when it closely focused universities in Hong Kong in the course of the civic protests that began in June 2019. The group can be recognized to function watering-hole assaults, as reported by Pattern Micro. FishMonger’s toolset consists of ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.

Technical evaluation

On this part, we offer a technical evaluation of those new, Home windows variants of FishMonger’s SprySOCKS backdoor.

The archive that led us to this discovery was uploaded to VirusTotal in April 2024 below the title klelam00007.zip; its contents are proven in Determine 1.

Figure 1. Contents of klelam00007.zip as displayed on VirusTotal
Determine 1. Contents of klelam00007.zip as displayed on VirusTotal

This archive comprises varied information, together with respectable ones used to host DLL side-loading, and three suspicious-looking, encrypted information with .dat extensions. Our subsequent evaluation revealed that these encrypted information comprise a brand new, beforehand undocumented Home windows variant of FishMonger’s SprySOCKS backdoor, labeled WIN_DRV by its builders. Additional investigation revealed a further backdoor model, labeled WIN_PLUS, in ESET Telemetry.

Preliminary entry

FishMonger has been recognized for focusing on the public-facing servers of its victims, usually exploiting server-based N-day vulnerabilities, to realize preliminary entry. Whereas we weren’t capable of affirm the precise means FishMonger acquired into its victims’ techniques on this marketing campaign, the presence of a server working system on a number of the sufferer gadgets together with FishMonger’s typical modus operandi counsel that the attackers might effectively have gotten in via misconfigured or unpatched public-facing functions.

SprySOCKS for Home windows

In September 2023, Pattern Micro revealed a report a couple of new FishMonger Linux backdoor that its analysts named SprySOCKS. The code of the backdoor is predicated on an open-source Home windows distant entry trojan (RAT) named Trochilus, and shares a number of widespread traits with the RedLeaves backdoor; nonetheless, it was prolonged and modified sufficient to be thought of a brand new backdoor. On this report, we analyze two as but undisclosed Home windows variants of v1.8 of SprySOCKS:

  • One has been named WIN_DRV by its builders and makes use of a kernel driver for superior stealth.
  • One other, with out the driving force, is called WIN_PLUS.

As proven in Determine 2, the backdoor model kind and quantity are hardcoded within the binary.

Figure 2. Version type and number hardcoded in WIN_DRV and WIN_PLUS
Determine 2. Model kind and quantity hardcoded in WIN_DRV (left) and WIN_PLUS (proper) Home windows SprySOCKS backdoor variants

The overwhelming majority of artifacts and performance current within the Linux model of the SprySOCKS backdoor launched in Pattern Micro’s report may also be discovered within the newly found Home windows SprySOCKS variants described on this report. These embrace:

  • the identical C&C message format,
  • very comparable C&C instructions (plus some extra ones),
  • the identical encryption keys and algorithms, and
  • the usage of the identical statically linked networking library (HP-Socket).

For each of those new SprySOCKS variants, the core backdoor performance involving C&C communication and accessible instructions could be very comparable. Essentially the most notable variations may be noticed in the way in which the ultimate backdoor is loaded, within the improved stealthiness, and within the element names and paths used.

Within the following subsections, we first analyze parts concerned within the execution chain of particular person SprySOCKS variants, after which we describe the backdoor element, which is usually the identical for each variants.

WIN_DRV parts

In an archive uploaded to VirusTotal, we found the WIN_DRV model of SprySOCKS, which comes with an empty C&C configuration. Consequently, this model doesn’t actively contact any distant addresses; nevertheless, it’s nonetheless able to launching a TCP server on a random port on the sufferer’s system, thus appearing as a passive backdoor. Curiously, the attackers don’t have to know this server’s TCP port quantity as a result of, as defined later, the RawWNPF driver utilized by the WIN_DRV model permits silent diversion – to the backdoor itself – of TCP site visitors acquired on any open port (extra within the RawWNPF driver part).

As proven in Determine 1, the archive containing the WIN_DRV model of SprySOCKS comprises a number of information:

  • klelam00007.bat – a batch script answerable for persisting the backdoor. As proven in Determine 3, it:

copies all information from the present working listing into the %SystemRootpercentFonts listing (to perform correctly, the batch file must be deployed in the identical listing as the remainder of the information from the archive),

creates a scheduled job named ApphostRagistreationVerifier, configured to execute ApphostRagistreationVerifier.exe (which is a respectable, validly signed executable, renamed by the attackers to imitate the respectable Microsoft-signed AppHostRegistrationVerifier.exe) with NT AUTHORITYSYSTEM privileges on each system begin. The attackers use the well-known DLL side-loading approach, making the most of the way in which Home windows masses DLLs, to load their very own malicious DLL (on this case tpsvcloc.dll) through the use of a respectable, signed software. To be particular, on this case the attackers use Malware Sideloading by way of MFC Satellite tv for pc DLLs approach (be aware the loc string within the tpsvcloc.dll filename),

  • ApphostRagistreationVerifier.exe – a respectable, ThinPrint’ AutoConnect printer creation service signed executable (SHA‑1: FFC3AA7909D4E72C360D65A1F45260DFFE5C99B7) that masses the tpsvc.dll library,
  • tpsvc.dll – a respectable, signed library that masses the tpsvcloc.dll library,
  • tpsvcloc.dll – the SprySOCKS backdoor loader,
  • X1B5206BDC1743DD.dat – an encrypted container comprising the SprySOCKS backdoor and copies of the following two information,
  • KX1B5206BDC1743DD.dat – DriverLoader, an encrypted kernel driver answerable for loading one other kernel driver from KW1B5206BDC1743FP.dat, and
  • KW1B5206BDC1743FP.dat – RawWNPF, an encrypted kernel driver answerable for hiding the backdoor’s information and community exercise.
Figure 3. klelam00007.bat setting up persistence for the SprySOCKS backdoor
Determine 3. klelam00007.bat establishing persistence for the SprySOCKS backdoor (newlines added for readability)

Determine 4 depicts the execution chain of the SprySOCKS WIN_DRV variant.

Figure 4. Execution chain of the SprySOCKS WIN_DRV variant
Determine 4. Execution chain of the SprySOCKS WIN_DRV variant

The next three subsections present technical analyses of the aforementioned parts: SprySOCKS loader, DriverLoader driver, and RawWNPF driver.

SprySOCKS loader

The loader begins with preliminary checks for the presence of a digital setting and some safety merchandise. It appears for particular libraries (particularly: snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, and SbieDll.dll) within the loader’s course of, and exits if it finds any of them.

As the following step, it verifies whether or not persistence was set efficiently by the klelam00007.bat script, from Determine 3. To take action, it checks whether or not the present loader’s picture was loaded from the %SystemRootpercentFonts listing, and tries to entry the %SystemRootpercentFontsX1B5206BDC1743DD.dat, %SystemRootpercentFonts‌tpsvc.dll, and %SystemRootpercentFontstpsvcloc.dll information. If it finds that any of those information should not the place they’re presupposed to be, it units up persistence by itself by:

  • copying X1B5206BDC1743DD.dat, tpsvc.dll, tpsvcloc.dll, and ApphostRagistreationVerifier.exe from the present working listing into the %SystemRootpercentFonts listing,
  • registering the %SystemRootpercentFontsApphostRagistreationVerifier.exe software as a debugger for vds.exe (a Digital Disk Service that may be robotically executed on system begin) by writing the appliance’s path into the registry worth HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger, and
  • dropping the affair-build.bat file into the %SystemRootpercentFonts listing after which executing it by way of cmd.exe. This script, proven in Determine 5, clears traces of this course of by eradicating information from the deployment listing and executing the malware once more (now from %SystemRootpercentFonts) by restarting the vds service.
Figure 5. affair-build.bat executed by the SprySOCKS loader
Determine 5. affair-build.bat executed by the SprySOCKS loader

When persistence is ready, the loader continues with loading payloads from an encrypted container positioned at %SystemRootpercentFontsX1B5206BDC1743DD.dat. The decryption algorithm and key: 128-bit AES in ECB mode with the hardcoded key uXQLESMXGaRMs6BL.

This produces shellcode generated by the DllToShellCode open-source device. Earlier than executing the shellcode, it extracts the remainder of the encrypted payloads from the container into separate information:

  • %SystemRootpercentFontsKX1B5206BDC1743DD.dat
  • %SystemRootpercentFontsKW1B5206BDC1743FP.dat

When executed, the loader spawns a brand new svchost.exe course of utilizing CreateProcessAsUserW with a token obtained from spoolsv.exe, and injects the backdoor’s shellcode into the method through the use of the course of doppelgänging approach. In the course of the injection course of, the shellcode is dropped into a brief file, utilizing the prefix TH in its filename, inside the %TEMP% listing.

Because the final step, the loader proceeds to decrypt and execute DriverLoader, a kernel driver hidden contained in the beforehand dropped KX1B5206BDC1743DD.dat file. DriverLoader is first decrypted, then the decrypted contents are saved to C:WindowsSystem32driversfsdiskbit.sys. To execute it, the loader installs this driver as a minifilter driver by manually creating a brand new service registry key named msidiskserver with an ImagePath worth pointing to the dropped driver (as proven in Determine 6) and invokes the NtLoadDriver Home windows API perform with the registry key because the parameter to load it. If no errors are detected, the loader deletes each the msidiskserver registry key and the fsdiskbit.sys file. After this, the loader is finished and exits.

Figure 6. Service registry key created by the SprySOCKS WIN_DRV loader
Determine 6. Service registry key created by the SprySOCKS WIN_DRV loader
DriverLoader driver

Earlier than leaping to DriverLoader’s performance, one necessary be aware: with the discharge of Home windows Vista, Microsoft launched driver signature enforcement (DSE), a function guaranteeing that solely validly signed kernel-mode parts are allowed to be executed within the Home windows kernel. Which means to execute the fsdiskbit.sys driver (DriverLoader), attackers have to signal it with a trusted certificates.

To make the driving force work on a minimum of some outdated or misconfigured techniques, the attackers used a leaked certificates accessible on GitHub within the PastDSE venture repository, and signed the fsdiskbit.sys driver with it. Details about the certificates used may be present in Determine 7.

Figure 7. DriverLoader’s code-signing certificate
Determine 7. DriverLoader’s code-signing certificates

Now to the performance. The aim of this element is kind of easy: to load one other driver, this time in reminiscence solely. First, it reads and decrypts the contents of the C:WindowsFontsKW1B5206BDC1743FP.dat file, beforehand created by the loader. It makes use of the identical algorithm and key as utilized by the loader: 128-bit AES in ECB mode with the important thing uXQLESMXGaRMs6BL. The decrypted knowledge comprises a local PE binary (described within the RawWNPF driver part), which is then manually mapped and its entry level executed.

There’s the PDB path embedded within the DriverLoader binary:

C:UsersxddDesktop今天2023-4-112023‑04‑10__注册表驱动加载功能__集成到内测3中-未完成DriverMemoryLoadDriverx64ReleaseDriverMemoryLoadDriver.pdb

The components in simplified Chinese language machine translate as:

  • 今天: Right this moment
  • 注册表驱动加载功能__集成到内测3中-未完成: Registry driver loading function__is built-in into inner beta 3-not accomplished

As we are able to see within the symbols path, this element appears to have been in improvement a minimum of since April 2023, which aligns with DriverLoader’s compilation timestamp. Equally, strings within the path counsel that the venture this driver is a part of was possible nonetheless in improvement when the driving force was compiled.

RawWNPF driver

The RawWNPF driver is the element that makes the WIN_DRV model of the SprySOCKS backdoor a lot stealthier when in comparison with the WIN_PLUS variant. It permits hiding the backdoor’s malicious exercise on the compromised system, and may be configured by invoking the driving force’s customized I/O management codes (IOCTLs). The driving force creates a tool driver named DeviceRawWNPF; a listing of the accessible IOCTLs, with brief descriptions, is proven in Desk 1.

Desk 1. Checklist of IOCTLs dealt with by the RawWNPF driver

IOCTL Description
0x220200 Configure the driving force to cover energetic community connections to and from the desired native TCP port.
0x220300 Unhide the community connections configured with 0x220200.
0x220340 Insert an entry into the hidden connections record.
0x220344 Take away an entry from the hidden connections record.
0x220348 Wipe the entire hidden connections record.
0x22034C Learn the hidden connections record.
0x220350 Insert a course of with a specified PID into the hidden processes record.
0x220354 Take away a course of with a specified PID from the hidden processes record.
0x220358 Wipe the entire hidden processes record.
0x22035C Learn the hidden processes record.
0x222000 Initialize the driving force’s most important features (hiding community connections, hiding processes, hiding malware parts, community filters, persistence safety). After this initialization, different IOCTLs can be utilized to configure what precisely needs to be hidden.
0x222004 Returns two hardcoded DWORD values: 1 and 2. This presumably could possibly be the driving force’s model.
0x222008 Delete the driving force’s binary (if it exists).
Hiding specified processes

The RawWNPF driver may be configured to cover processes primarily based on their course of IDs, and a listing of hidden processes may be managed by invoking the driving force’s IOCTLs 0x220358, 0x22035C, 0x220354, and 0x220350. To cover a course of, the driving force hooks execution of the NtQuerySystemInformation system name and modifies its output if details about working processes is being retrieved (i.e., if SystemProcessInformation is handed to the SystemInformationClass parameter). If any of the processes retrieved by this API perform match a course of from the driving force’s record of hidden processes, the driving force removes this course of from the perform’s output. The best way the kernel driver hooks the NtQuerySystemInformation system name appears to be closely primarily based on supply code from the InfinityHookPro venture.

Hiding community exercise

The driving force may be configured to cover particular energetic connections (with a specified IP, port, or mixture of each) in order that they received’t be listed within the output of widespread community administration instruments comparable to netstat.exe. That is achieved by a well known approach (e.g., [1], [2], [3], … ), the place attackers hook IoCompletionRoutine for IOCTL 0x12001B contained in the DeviceIoControl perform of the nsiproxy.sys Home windows kernel driver. The code inside nsiproxy’s 0x12001B IOCTL handler is answerable for retrieving the record of energetic connections, and hooking its IoCompletionRoutine permits attackers to stroll via the retrieved record, examine for the presence of particular ports, addresses, or each, and conceal the precise connection within the record if a match is discovered. Determine 8 exhibits the hook perform answerable for hiding community connections.

Figure 8. Hex-Rays decompilation of nsiproxy’s IoCompletionRoutine hook
Determine 8. Hex-Rays decompilation of nsiproxy’s IoCompletionRoutine hook answerable for hiding community connections

Along with the hiding of energetic community connections, the driving force comprises an fascinating performance permitting it to divert TCP packets acquired on any open TCP port, to the desired TCP port configured by the IOCTL 0x220200 (it’s really the port of the SprySOCKS backdoor’s TCP server), however solely within the case that the TCP knowledge acquired comprises specifically crafted knowledge. To attain this, the driving force registers its personal packet filter objects utilizing Home windows Filtering Platform (WFP) API features, manually parses contents of transferred IPv4 packets (each inbound and outbound site visitors is inspected), and proceeds to divert the site visitors if the specifically crafted knowledge is detected inside a acquired TCP packet knowledge. The aim of this function appears to be primarily a functionality to contact the malicious backdoor with out the necessity to embed a C&C deal with contained in the binary. Moreover, regardless that such diverted site visitors may be inspected utilizing instruments comparable to Wireshark, the actual port (the one the site visitors is diverted to) isn’t revealed; thus it may be troublesome to research the actual vacation spot for this malicious site visitors.

Put in packet filters, together with their figuring out info, are listed in Desk 2.

Desk 2. WFP filter objects registered by the RawWNPF driver

Filter layer title Filter object title and GUID Filter object callout title and GUID
Inbound IP Packet v4 Layer Supply Optimization (TCP-In)
{E980088D-BE44-4057-8E5C-C7FDF8968795}
COInbound
{DE0D7F67-94ED-4DDB-8215-9C028B54661B}
Outbound IP Packer v4 Layer Supply Optimization (TCP-Out)
{33F76397-DBCB-445E-8EC3-AA51ED302D15}
COOutbound
{8280DDF3-7489‑4402-B9D8-96B50912346B}
ALE Join v4 Layer Supply Optimization (TCP-In)
{5746AF70-2917‑4861-97E6-D5E4DD569F2D}
COAuthConnect
{A33E1AA8-9B0F-44A3-B24A-AEB04CA54C3B}
ALE Pay attention v4 Layer Supply Optimization (TCP-In)
{7CB4DFB4-0D20-402D-A49D-BA9660D026E6}
COAuthListen
{40045FAF-6BAE-4B48-9119‑31B48FFEA629}
ALE Obtain/Settle for v4 Layer Supply Optimization (TCP-In)
{2C1AB6EF-0B65-4634‑8666-BCB2CF9C72E9}
COAuthAccept
{DDFE5189‑389F-437F-9B92-59495ED2181A}
ALE ResourceAssignment v4 Layer Supply Optimization (TCP-In)
{B4AE248F-98D5-446F-88EB-14CF605AE722}
COAuthResAssignment
{FE570356-A1A9-413C-94CC-BD6C448E9969}
Hiding the backdoor’s information

The driving force hides/protects the SprySOCKS backdoor’s information by registering itself as a minifilter driver, and putting in the next callbacks:

  • pre-operation callback triggered on each IRP_MJ_CREATE I/O request and answerable for returning STATUS_NO_SUCH_FILE on each try to create or open a file or a listing from the driving force’s record of hidden/protected information,
  • pre-operation callback triggered on each IRP_MJ_DIRECTORY_CONTROL I/O request and answerable for filtering out non-directory-enumeration associated requests, in order that solely those associated to listing enumeration are handed to the post-operation callback, and
  • post-operation callback triggered on IRP_MJ_DIRECTORY_CONTROL I/O requests that handed pre-operation callback checks. This callback is answerable for eradicating entries of hidden/protected information from any listing itemizing makes an attempt.

The next hardcoded record of filenames are protected by the driving force:

  • SystemRootFontstpsvc.dll
  • SystemRootFontstpsvcloc.dll
  • SystemRootFontsApphostRagistreationVerifier.exe
  • SystemRootFontsX1B5206BDC1743DD.dat
  • SystemRootFontsKX1B5206BDC1743DD.dat
  • SystemRootFontsKW1B5206BDC1743FP.dat
Defending persistence

The driving force calls CmRegisterCallbackEx to put in a RegistryCallback routine answerable for hiding the registry key used for the SprySOCKS loader’s persistence: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exe. Consequently, all makes an attempt to open or enumerate the important thing are filtered out by the driving force.

WIN_PLUS parts

Within the SprySOCKS WIN_PLUS model, we first found the malicious encrypted container in our telemetry, with the primary hit relationship again to July 2024 discovered on the system of a sufferer in Pakistan. It contained the SprySOCKS backdoor and the SprySOCKS loader. The C&C configuration was current and is proven in Determine 9.

Figure 9. C&C configuration from the WIN_PLUS version of SprySOCKS
Determine 9. C&C configuration from the WIN_PLUS model of SprySOCKS

The encrypted container was positioned on the following path on the compromised system:

C:WindowsSystem32spooldriverscolorconfig.dat

When decrypted, the container comprises a SprySOCKS loader and the SprySOCKS backdoor itself. Additional evaluation of the SprySOCKS backdoor from the container confirmed that, on this case, there gave the impression to be a further element answerable for loading the SprySOCKS loader from the encrypted container. This element – referenced to because the first-stage loader on this evaluation – needs to be put in as a print processor below the next registry key:

HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg

Curiously, after we searched our telemetry for something associated to this VSPMsg string, we found a file deployed on two completely different sufferer gadgets from Honduras at C:WindowsSystem32spoolprtprocsx64VSPMsg.dll. This file turned out to be the first-stage loader answerable for executing the SprySOCKS loader from the aforementioned config.dat file.

An execution diagram of the SprySOCKS WIN_PLUS variant is illustrated in Determine 10.

Figure 10. SprySOCKS WIN_PLUS variant execution scheme
Determine 10. SprySOCKS WIN_PLUS variant execution scheme
First-stage loader

This loader begins by checking whether or not it was executed by spoolsv.exe, and exits if not; this hides its habits from automated malware evaluation sandboxes, because the loader is meant to be run as a print processor. It continues decrypting the SprySOCKS loader from the encrypted container C:WindowsSystem32spooldrivers‌colorconfig.dat. First it 128-bit AES-ECB decrypts the loader with the hardcoded key uXQLESMXGaRMs6BL, then injects it into the newly created svchost.exe course of by way of course of doppelgänging. In the meantime, the SprySOCKS loader is dropped into a brief file, with a filename prefix of TH, inside the %TEMP% listing.

The pattern exports two features:

  • GetErrorMessageModule
  • SetErrorMessageModule

Whereas the SetErrorMessageModule perform doesn’t do something, the GetErrorMessageModule perform is supposed for use to set persistence for the loader itself. When executed, it registers the loader as a print processor by creating the HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg registry key, setting the Driver registry worth to VSPMsg.dll, and copying the hardcoded C:ProgramDataMicrosoft EventPFsVSPMsg.dll to the C:WindowsSystem32spoolprtprocsx64 listing. As the following step, it copies the encrypted container from C:ProgramDataMicrosoft EventPFsconfig.dat to C:WindowsSystem32spooldriverscolorconfig.dat and, when executed, it generates and drops the affair-build.bat batch script into the C:WindowsSystem32spooldriverscolor listing and executes it. As proven in Determine 11, this script’s goal is to cowl the loader’s tracks by eradicating the information within the authentic deployment listing, and triggering execution of the newly put in print processor by restarting the print spooler service.

Figure 11. affair-build.bat batch script used by the first-stage SprySOCKS WIN_PLUS loader
Determine 11. affair-build.bat batch script utilized by the first-stage SprySOCKS WIN_PLUS loader
SprySOCKS loader

This loader begins by making a mutex with the hardcoded title fqwhi2d1qaz2, after which proceeds to loading the SprySOCKS backdoor from the encrypted container positioned at C:WindowsSystem32spooldriverscolor‌config.dat. It 128-bit AES-ECB decrypts the backdoor with the hardcoded key uXQLESMXGaRMs6BL, then injects it into the newly created svchost.exe course of by way of course of doppelgänging. In the meantime, the SprySOCKS loader is dropped into a brief file, with a filename prefix of TH, inside the %TEMP% listing.

SprySOCKS backdoor

Lastly, we proceed to our evaluation of the SprySOCKS backdoor itself. In each variants, WIN_DRV and WIN_PLUS, the backdoor performance is nearly the identical, and the variations are solely within the particular file paths used, registry keys used, and as already talked about, the WIN_PLUS model doesn’t use the RawWNPF driver for superior stealthiness.

Each variants analyzed on this report are DLLs with the unique title PrcsServer.dll, exporting a perform named Cease. They create a mutex named prcs-server-run at first and proper after that proceed to the initialization of the backdoor’s most important performance, which incorporates initialization and launching of C&C communication channels (primarily based on the hardcoded configuration) and establishing the keylogger. Along with these actions, the WIN_DRV backdoor model initializes the RawWNPF driver by invoking its 0x222000 IOCTL handler, after which hides its personal course of by invoking the driving force’s 0x220350 IOCTL.

Keylogging is activated provided that there may be an current INI file at %appdatapercentMicrosoftVaultlgf.dat that comprises a config part with a property named key that’s set to 1. If these situations are met, each backdoors create a mutex named International{DCAA7ED8-521B-4EAB-BE21-65254CF59239} and periodically log clipboard knowledge together with the energetic window title and keystrokes into the file %appdatapercentMicrosoftVaultlg.dat. The info within the file is encrypted utilizing a single-byte XOR cipher with the important thing 0x44.

C&C communication

The backdoor helps three protocols for communication with the C&C – TCP, UDP, and WebSocket – and might act as each shopper and server. The networking-related performance is closely primarily based on the HP-Socket networking framework, and a few cryptography features have been applied utilizing the Crypto++ library.

The C&C configuration is embedded within the backdoor, and might comprise:

  • as much as three IP addresses and related ports, every specifying a C&C IP deal with and its port for one of many communication channels (TCP, UDP, or WebSocket), and
  • as much as three port numbers, every specifying a port the backdoor ought to pay attention on for brand new connections. One is used for a TCP server, one for a UDP server, and one for a WebSocket server.

An instance configuration from the WIN_PLUS model is proven in Determine 9 and it comprises:

  • The C&C deal with and port for the TCP communication channel: 207.148.78[.]36:443.
  • The C&C deal with and port for the UDP communication channel: 207.148.78[.]36:53.
  • The C&C deal with and port for the WebSocket communication channel: 207.148.78[.]36:80.
  • The backdoor’s TCP server listening port: 53781.

Earlier than initiating any connections or beginning a server, the SprySOCKS WIN_DRV model hides any connections from/to the addresses or ports from the configuration by invoking the RawWNPF driver’s IOCTLs 0x220340 and 0x220200. Consequently, these connections received’t be listed in output of instruments comparable to netstat.exe, regardless of being energetic. As well as, each backdoor variations execute the netsh.exe utility twice:

netsh.exe netsh advfirewall firewall delete rule title=”Core Networking – Packet Too Large(ICMPv6 – In)”

netsh advfirewall firewall add rule title=”Core Networking – Packet Too Large(ICMPv6 – In)” dir=in motion=enable protocol=tcp localport=53781

The primary command deletes a specified firewall rule, and the second provides a brand new firewall rule of the identical title because the one simply deleted, permitting all inbound TCP site visitors despatched to the backdoor’s TCP server port specified within the configuration.

If the C&C configuration is empty (as within the case of the WIN_DRV model we found on VirusTotal), the backdoor begins a TCP server that listens on a random port on the compromised machine and in addition hides this port by invoking the RawWNPF driver’s IOCTL 0x220200. This invocation not solely hides the TCP server from being listed in customary networking instruments’ output, but additionally prompts the TCP-diverting function supplied by the RawWNPF driver. This function permits attackers to ship instructions to the backdoor with out realizing the actual port the backdoor listens on, just by sending specifically crafted TCP knowledge to any open TCP port on the sufferer’s machine.

For the TCP communication channel, the C&C protocol appears to stay the identical as within the Linux model analyzed in Pattern Micro’s report. Every time earlier than sending the precise backdoor’s knowledge, it sends a 12-byte header containing the 32-bit CRC of the remainder of the header, a DWORD magic worth 0xACACBCBC, and a DWORD specifying the scale of the information that follows the header.

For the UDP and WebSocket channels, the magic values are completely different, and so are the message header format and measurement. For the UDP channel, the magic worth is 0xACACBFBC and it’s positioned at offset 0x1C in a 36-byte header, adopted by a DWORD specifying the scale of the information that follows. Within the WebSocket channel, the magic worth 0x1BDCCBAA is used as a Masking-Key within the WebSocket header. Determine 12 exhibits a community site visitors seize with the magic values for every of the communication channels.

Figure 12. SprySOCKS network-traffic capture showing the magic values
Determine 12. SprySOCKS network-traffic seize displaying the magic values utilized in TCP, UDP, and WebSocket (from prime to backside, respectively) C&C communication channels

Following the header is, once more, a 32-bit CRC, then the WORD worth 0x0003 (possible indicating the encryption methodology), adopted by 128-bit AES-ECB mode encrypted knowledge (utilizing the hardcoded key QFTHEYjzX3RBOMgZ) that has been base64 encoded.

An instance of a C&C message earlier than and after decoding and decryption is proven in Determine 13.

Figure 13. Example SprySOCKS C&C message
Determine 13. Instance SprySOCKS C&C message as seen in Wireshark (left), and its contents after decoding and decryption (proper)

The __msgid worth within the decrypted C&C message is used to specify a command, recognized by a message ID, that needs to be executed by the backdoor. The record of message IDs supported by the backdoor, together with their description, may be present in Desk 3. Word that we haven’t analyzed all these instructions in depth; subsequently, some descriptions are only a tough overview of the a part of the code/performance the message ID is said to.

Desk 3. SprySOCKS C&C instructions; descriptions marked with * are tentative assessments

Message ID Description
0x09 Accumulate shopper (sufferer) system info, together with: laptop title, OS model, community adapter info, details about reminiscence, CPU info, present privileges, system language and model, present time, and the backdoor model (1.8) and model kind (WIN_DRV or WIN_PLUS).
0x0A Begin an interactive console.
0x0B Write into the interactive console.
0x0D Cease the interactive console.
0x0E Specify a further communication channel (don’t begin the channel). Prone to specify a further backup C&C.
0x0F Ship C&C message to a unique goal.*
0x11 Enumerate all processes.
0x12 Enumerate modules of a course of specified by a PID.
0x13 Terminate a course of specified by a PID.
0x14 Shut all connections.
0x16 Get present communication channel info.
0x17 Specify extra communication channels (TCP, UDP, or WebSocket) and begin them.
0x19 Uninstall the backdoor and exit.
0x1E Enumerate all companies.
0x1F Configure StartType for a specified service.
0x20 Begin companies with a specified title.
0x21 Invoke the ControlService perform with a specified dwControl parameter.
0x22 Delete a specified service from the service supervisor. This doesn’t cease the service if it’s working.
0x23 Initialize SOCKS proxy.
0x24 Terminate SOCKS proxy.*
0x25 Ship knowledge via SOCKS proxy.
0x26 SOCKS proxy-related command.*
0x2A Add a specified file.*
0x2B File-transfer-related helper command.*
0x2C Obtain a specified file.*
0x2D File-transfer-related helper command.*
0x3C Enumerate free disk house.
0x3D Checklist information within the specified listing.
0x3E Delete a specified file.
0x3F Create a specified listing.
0x40 Rename a specified file.
0x41 Execute an current file.
0x42 Copy a specified file.
0x43 Checklist information from the Current Home windows directories for the logged-in consumer:
%APPDATApercentMicrosoftWindowsRecent
%APPDATApercentMicrosoftOfficeRecent

Community infrastructure

Just one C&C deal with has been found on this marketing campaign: 207.148.78[.]36, hardcoded within the configuration (proven in Determine 9) of the WIN_PLUS variant of the SprySOCKS backdoor.

Ports from the configuration that needs to be utilized by the backdoor to speak with the C&C:

  • TCP: 443
  • UDP: 53
  • WebSocket: 80

As talked about in Pattern Micro’s report, the IP deal with 207.148.75[.]122, from the identical IP vary 207.148.64.0/20 because the C&C above, was utilized by FishMonger operators as a SprySOCKS supply server in June 2023. This IP vary belongs to the Vultr cloud internet hosting supplier.

Conclusion

The invention of a Home windows variant of SprySOCKS, beforehand often called Linux-only backdoor, represents a significant growth of FishMonger’s cross-platform capabilities. Our evaluation exhibits that the Home windows port retains many of the core structure of its Linux predecessor – together with the C&C protocol, encryption used, and total command dealing with logic – whereas substituting Home windows-native mechanisms the place required and bettering the stealthiness of the backdoor by bringing the kernel drivers to the sport. Contemplating the restricted indications of doable UEFI bootkit involvement, we advise everybody to maintain a detailed eye on the group’s actions.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com
ESET Analysis provides non-public APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

Information

SHA‑1 Filename Detection Description
955BFC3DCC867256F9F46A606DEB0779FA3416D8 KX1B5206BDC1743DD.dat Win64/SprySOCKS.A Encrypted SprySOCKS DriverLoader driver.
44DC4A08C5EB0972C8E18B0E01284E06F09006BB bthcam.sys Win64/Agent.ESB SprySOCKS DriverLoader driver.
AB87B29B6F79487C75CA08D102E79001E536F083 KW1B5206BDC1743FP.dat Win64/SprySOCKS.A Encrypted SprySOCKS RawWNPF driver.
6490B8E4AADE25A3EE2DA9A47F312DB2122470BC X1B5206BDC1743DD.dat Win64/SprySOCKS.A Encrypted container of the encrypted WIN_DRV variant of SprySOCKS backdoor, encrypted SprySOCKS RawWNPF and SprySOCKS DriverLoader drivers.
E7484C24B88A1A2407A8F09D734F9A993670285B klelam00007.zip Win64/Agent.CXZ
Win64/SprySOCKS.A
BAT/Runner.KS
ZIP archive from VirusTotal containing the WIN_DRV variant of SprySOCKS, together with all of the backdoor’s parts; clear binaries used for side-loading are included.
621D1952839BE4B0A1B0E66E87BCE5062CA368ED tpsvcloc.dll Win64/Agent.CXZ SprySOCKS loader.
2457EED2AB28E37741F10914EF929DAD2C8079D4 VSPMsg.dll Win64/Agent.CXZ First-stage loader answerable for launching the SprySOCKS loader.
D2C706B1EAF662BF0CE124B5032F73ED84BDA24A N/A Win64/SprySOCKS.A WIN_PLUS variant of the SprySOCKS backdoor.
5F3B87CEF56683D9A9E19186E0FD0D8019B559C4 N/A Win64/Agent.CXZ SprySOCKS loader.
C793CA31E3F6628B5C8986146953BF66232E9A30 config.dat Win64/SprySOCKS.A Encrypted container of the WIN_PLUS variant of the SprySOCKS backdoor and its loader.
037DB2445F3D72388CB2CF8510563148E5A184BE N/A BAT/Runner.KS Batch script that persists the WIN_DRV variant of SprySOCKS.

Community

IP Area Internet hosting supplier First seen Particulars
207.148.78[.]36 N/A IRT‑CHOOPALLC‑AP N/A C&C IP hardcoded within the SprySOCKS backdoor (WIN_PLUS variant).

MITRE ATT&CK strategies

This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Reconnaissance T1592.004 Collect Sufferer Host Data: Consumer Configurations SprySOCKS can gather details about the compromised system, together with: laptop title, OS model, details about reminiscence and CPU, present privileges, system language and model, present time, and extra.
T1590.005 Collect Sufferer Community Data: IP Addresses SprySOCKS can gather details about the compromised system, together with details about community interfaces and assigned IP addresses.
Useful resource Growth T1587.001 Develop Capabilities: Malware FishMonger has developed customized malware for its operations, together with the SprySOCKS backdoor.
Execution T1059.003 Command and Scripting Interpreter: Home windows Command Shell SprySOCKS can launch an interactive cmd.exe command shell, which permits the attackers to execute instructions remotely on the compromised machine.
T1053.005 Scheduled Process/Job: Scheduled Process SprySOCKS makes use of a scheduled job to execute its loader on system begin.
T1569.002 System Companies: Service Execution SprySOCKS abuses system companies for each one-time and chronic execution.
T1106 Native API FishMonger has used Home windows APIs to execute code inside a sufferer’s system.
Persistence T1547.012 Boot or Logon Autostart Execution: Print Processors To attain persistence, FishMonger installs its malicious loader as a print processor.
Privilege Escalation T1546.012 Occasion Triggered Execution: Picture File Execution Choices Injection SprySOCKS can set up itself as a debugger for the Digital Disk Service by modifying HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger.
Stealth T1205.002 Visitors Signaling: Socket Filters SprySOCKS makes use of the RawWNPF kernel driver to put in packet filters able to redirecting any inbound TCP site visitors to the configured native port if a particular magic worth is detected within the packet.
T1134.002 Entry Token Manipulation: Create Course of with Token FishMonger makes use of CreateProcessAsUser to execute a brand new course of with a token obtained from the print spooler service.
T1622 Debugger Evasion SprySOCK’s RawWNPF driver makes use of the KdDisableDebugger perform to disable the kernel debugger, if energetic.
T1140 Deobfuscate/Decode Information or Data SprySOCKS loader decrypts the SprySOCKS backdoor from an encrypted file. Moreover, many of the strings within the SprySOCKS parts are encrypted.
T1070.004 Indicator Removing: File Deletion The SprySOCKS loader removes authentic information from the deployment listing after copying them and establishing persistence.
T1070.009 Indicator Removing: Clear Persistence SprySOCKS loader removes a service registry worth related to the beforehand put in malicious minifilter driver after executing the driving force.
T1027.007 Obfuscated Information or Data: Dynamic API Decision SprySOCKS parts use dynamic API decision.
T1027.013 Obfuscated Information or Data: Encrypted/Encoded File SprySOCKS parts are saved in an AES-encrypted file on the sufferer’s drive.
T1055.013 Course of Injection: Course of Doppelgänging The SprySOCKS loader makes use of course of doppelgänging to inject the backdoor into the svchost.exe course of.
T1014 Rootkit FishMonger makes use of the RawWNPF kernel driver, which serves as a rootkit answerable for hiding the SprySOCKS malicious exercise.
T1497 Virtualization/Sandbox Evasion SprySOCKS makes use of a number of anti-emulation strategies to forestall automated evaluation by emulators or sandboxes.
T1574.002 Hijack Execution Stream: DLL Aspect-Loading FishMonger makes use of DLL side-loading to execute the SprySOCKS backdoor.
Protection Impairment T1562.004 Disable or Modify System Firewall SprySOCKS provides a firewall rule permitting any inbound site visitors despatched to the backdoor’s listening port.
Discovery T1010 Software Window Discovery SprySOCKS retrieves the energetic foreground window title as part of its keylogging performance.
T1083 File and Listing Discovery SprySOCKS can receive file and listing listings from the compromised system.
T1518.001 Software program Discovery: Safety Software program Discovery SprySOCKS parts examine for the presence of safety and sandboxing product libraries (snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, SbieDll.dll, and cmdvrt32.dll) in their very own processes.
T1082 System Data Discovery SprySOCKS can gather details about the compromised system, together with: laptop title, OS model, details about reminiscence and CPU, present privileges, system language and model, present time, and extra.
T1614.001 System Location Discovery: System Language Discovery SprySOCKS can gather details about the compromised system, together with system language.
T1007 System Service Discovery SprySOCKS can enumerate all companies on the system.
T1124 System Time Discovery SprySOCKS can gather details about the compromised system, together with present system time.
Assortment T1056.001 Enter Seize: Keylogging SprySOCKS implements a keylogger.
T1115 Clipboard Information SprySOCKS logs clipboard knowledge, together with the captured keystrokes, as part of its keylogging performance.
Command and Management T1132.001 Information Encoding: Customary Encoding SprySOCKS makes use of base64 encoding in its customized C&C communication protocol.
T1573.001 Encrypted Channel: Symmetric Cryptography SprySOCKS encrypts knowledge despatched to, and decrypts knowledge acquired from, the C&C with 128-bit AES.
T1008 Fallback Channels Along with the TCP communication channel, SprySOCKS can contact its C&C utilizing UDP and WebSocket channels.
T1665 Conceal Infrastructure SprySOCKS’s RawWNPF driver hides the backdoor’s energetic connections from being enumerated when utilizing community instruments comparable to netstat.exe.
T1571 Non-Customary Port SprySOCKS makes use of nonstandard ports to speak with the C&C.
T1095 Non-Software Layer Protocol SprySOCKS makes use of nonstandard protocols to speak with the C&C.
Exfiltration T1041 Exfiltration Over C2 Channel SprySOCKS can add varied information from the compromised system to the C&C.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

[td_block_social_counter facebook="tagdiv" twitter="tagdivofficial" youtube="tagdiv" style="style8 td-social-boxed td-social-font-icons" tdc_css="eyJhbGwiOnsibWFyZ2luLWJvdHRvbSI6IjM4IiwiZGlzcGxheSI6IiJ9LCJwb3J0cmFpdCI6eyJtYXJnaW4tYm90dG9tIjoiMzAiLCJkaXNwbGF5IjoiIn0sInBvcnRyYWl0X21heF93aWR0aCI6MTAxOCwicG9ydHJhaXRfbWluX3dpZHRoIjo3Njh9" custom_title="Stay Connected" block_template_id="td_block_template_8" f_header_font_family="712" f_header_font_transform="uppercase" f_header_font_weight="500" f_header_font_size="17" border_color="#dd3333"]
- Advertisement -spot_img

Latest Articles