FishMonger’s arsenal upgraded: SprySOCKS for Windows

What Happened

Security researchers have found new Windows versions of a malicious program called SprySOCKS, which was previously only known to attack Linux systems. This malware is being used by a cyberespionage group known as FishMonger to target government organizations in several countries. The malware is highly advanced, using deep system-level tricks to hide its files, network activity, and running processes from security tools. Organizations should ensure their systems are fully patched, monitor for unusual network traffic, and check for unauthorized changes to system services and print processors.

Key Takeaways

• Discovery of two new Windows variants (WIN_DRV and WIN_PLUS) of the previously Linux-only SprySOCKS backdoor.
• The WIN_DRV variant uses a custom kernel driver (RawWNPF) to hide processes, network connections, and files.
• RawWNPF enables passive TCP backdoor capabilities by diverting traffic containing specific magic values to a hidden port.
• The WIN_PLUS variant achieves persistence by installing itself as a malicious print processor.
• Attributed to the China-aligned FishMonger APT group, targeting government entities in Asia and Central America.

Affected Systems

• Windows
• Windows Server

Vulnerabilities (CVEs)

• CVE-2023-24932

Attack Chain

The attack begins with initial access likely via exploitation of public-facing applications. The threat actor deploys the SprySOCKS loader, which uses DLL side-loading or print processor abuse to execute. In the WIN_DRV variant, the loader decrypts and loads a kernel driver (RawWNPF) that hides the malware's processes, files, and network connections, while also enabling passive TCP traffic diversion. The backdoor then establishes C&C communication over TCP, UDP, or WebSocket, allowing the attacker to execute commands, manage files, and collect system information.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide explicit detection rules (YARA, Sigma, etc.), but offers extensive behavioral indicators, file paths, and network IOCs for custom rule creation.

Detection Engineering Assessment

EDR Visibility: Medium — While EDRs can detect the initial DLL side-loading, scheduled task creation, and print processor registry modifications, the WIN_DRV variant's RawWNPF kernel driver actively hooks NtQuerySystemInformation and nsiproxy.sys to hide processes and network connections, potentially blinding user-land EDR sensors. Network Visibility: Medium — The malware uses custom magic bytes in TCP/UDP/WebSocket headers and encrypts the payload with AES. The passive TCP diversion feature makes identifying the true listening port difficult, though the magic bytes can be signatured. Detection Difficulty: Hard — The use of a signed (albeit leaked/expired) kernel driver to implement rootkit functionalities significantly raises the difficulty of host-based detection. The passive backdoor feature also complicates network analysis.

Required Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 11 (File Create)
• Sysmon Event ID 12/13/14 (Registry Event)
• Windows Security Event 4697 (Service Installed)
• Windows Security Event 5156 (Windows Filtering Platform Connection)

Hunting Hypotheses

Control Gaps

• Lack of strict Driver Signature Enforcement (DSE) blocking known leaked/revoked certificates
• Insufficient monitoring of Print Spooler service child processes

Key Behavioral Indicators

• svchost.exe spawned with a token from spoolsv.exe
• Creation of files with 'TH' prefix in %TEMP%
• Presence of .dat files in C:\Windows\Fonts\ or C:\Windows\System32\spool\drivers\color\

False Positive Assessment

• Low. The IOCs provided (specific file paths, custom mutexes, specific registry keys, and C&C IPs) are highly specific to the SprySOCKS malware and FishMonger APT.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider searching endpoint telemetry for the identified file hashes, paths, and registry keys associated with SprySOCKS.
• Evaluate blocking the known C&C IP addresses (207.148.78.36, 207.148.75.122) at the perimeter firewall.

Infrastructure Hardening

• If supported by your environment, consider enforcing strict Driver Signature Enforcement and utilizing Microsoft's vulnerable driver blocklist to prevent the loading of drivers signed with leaked certificates.
• Evaluate patching and hardening public-facing applications, as these are the suspected initial access vectors for FishMonger.
• Consider restricting modifications to the Print Processors registry keys and monitoring the Print Spooler service for anomalous child processes.

User Protection

• Consider implementing application control to prevent the execution of unapproved binaries, even if they are signed, from unusual directories like C:\Windows\Fonts.

Security Awareness

• Consider updating threat intelligence briefings to include FishMonger's shift to targeting Windows environments with advanced rootkit capabilities.

MITRE ATT&CK Mapping

• T1592.004 - Gather Victim Host Information: Client Configurations
• T1590.005 - Gather Victim Network Information: IP Addresses
• T1587.001 - Develop Capabilities: Malware
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1569.002 - System Services: Service Execution
• T1106 - Native API
• T1547.012 - Boot or Logon Autostart Execution: Print Processors
• T1546.012 - Event Triggered Execution: Image File Execution Options Injection
• T1205.002 - Traffic Signaling: Socket Filters
• T1134.002 - Access Token Manipulation: Create Process with Token
• T1622 - Debugger Evasion
• T1140 - Deobfuscate/Decode Files or Information
• T1070.004 - Indicator Removal: File Deletion
• T1070.009 - Indicator Removal: Clear Persistence
• T1027.007 - Obfuscated Files or Information: Dynamic API Resolution
• T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
• T1055.013 - Process Injection: Process Doppelgänging
• T1014 - Rootkit
• T1497 - Virtualization/Sandbox Evasion
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1562.004 - Disable or Modify System Firewall
• T1010 - Application Window Discovery
• T1083 - File and Directory Discovery
• T1518.001 - Software Discovery: Security Software Discovery
• T1082 - System Information Discovery
• T1614.001 - System Location Discovery: System Language Discovery
• T1007 - System Service Discovery
• T1124 - System Time Discovery
• T1056.001 - Input Capture: Keylogging
• T1115 - Clipboard Data
• T1132.001 - Data Encoding: Standard Encoding
• T1573.001 - Encrypted Channel: Symmetric Cryptography
• T1008 - Fallback Channels
• T1665 - Hide Infrastructure
• T1571 - Non-Standard Port
• T1095 - Non-Application Layer Protocol
• T1041 - Exfiltration Over C2 Channel

Additional IOCs

• File Hashes:
  • 955BFC3DCC867256F9F46A606DEB0779FA3416D8 (SHA1) - Encrypted SprySOCKS DriverLoader driver (KX1B5206BDC1743DD.dat)
  • AB87B29B6F79487C75CA08D102E79001E536F083 (SHA1) - Encrypted SprySOCKS RawWNPF driver (KW1B5206BDC1743FP.dat)
  • E7484C24B88A1A2407A8F09D734F9A993670285B (SHA1) - klelam00007.zip archive containing WIN_DRV variant
  • 621D1952839BE4B0A1B0E66E87BCE5062CA368ED (SHA1) - tpsvcloc.dll SprySOCKS loader
  • 2457EED2AB28E37741F10914EF929DAD2C8079D4 (SHA1) - VSPMsg.dll First-stage loader
  • D2C706B1EAF662BF0CE124B5032F73ED84BDA24A (SHA1) - WIN_PLUS variant of the SprySOCKS backdoor
  • 5F3B87CEF56683D9A9E19186E0FD0D8019B559C4 (SHA1) - SprySOCKS loader
  • 037DB2445F3D72388CB2CF8510563148E5A184BE (SHA1) - Batch script that persists the WIN_DRV variant
  • FFC3AA7909D4E72C360D65A1F45260DFFE5C99B7 (SHA1) - ApphostRagistreationVerifier.exe legitimate signed executable used for side-loading
• Registry Keys:
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe\debugger - IFEO persistence mechanism for the Virtual Disk Service
  • HKLM\SYSTEM\CurrentControlSet\Services\msidiskserver - Minifilter driver service created by the SprySOCKS loader
• File Paths:
  • %SystemRoot%\Fonts\tpsvc.dll - Legitimate DLL used in side-loading chain
  • %SystemRoot%\Fonts\tpsvcloc.dll - SprySOCKS loader DLL
  • %SystemRoot%\Fonts\ApphostRagistreationVerifier.exe - Legitimate executable used for side-loading
  • %SystemRoot%\Fonts\X1B5206BDC1743DD.dat - Encrypted container for WIN_DRV variant
  • %SystemRoot%\Fonts\KX1B5206BDC1743DD.dat - Encrypted DriverLoader driver
  • %SystemRoot%\Fonts\KW1B5206BDC1743FP.dat - Encrypted RawWNPF driver
  • C:\Windows\System32\spool\drivers\color\config.dat - Encrypted container for WIN_PLUS variant
  • C:\Windows\System32\spool\prtprocs\x64\VSPMsg.dll - First-stage loader for WIN_PLUS variant
  • %appdata%\Microsoft\Vault\lgf.dat - Configuration file to activate keylogging
  • %appdata%\Microsoft\Vault\lg.dat - Encrypted keylogger output file
• Command Lines:
  • Purpose: Modify firewall rules to allow inbound TCP traffic to the backdoor's listening port | Tools: netsh.exe | Stage: Defense Evasion
  • Purpose: Create a scheduled task for persistence running as SYSTEM | Tools: schtasks.exe | Stage: Persistence | schtasks /create /tn "ApphostRagistreationVerifier" /tr
• Other:
  • fqwhi2d1qaz2 - Mutex created by SprySOCKS loader
  • prcs-server-run - Mutex created by SprySOCKS backdoor
  • Global\{DCAA7ED8-521B-4EAB-BE21-65254CF59239} - Mutex created by SprySOCKS keylogger