China-Linked SprySOCKS Backdoor Expands to Windows

China-Linked SprySOCKS Backdoor Expands to Windows with Advanced Features

Estimated Reading Time: 5 minutes

Key Takeaways

• The FishMonger group has ported its SprySOCKS backdoor from Linux to Windows.
• Two new variants, WIN_DRV and WIN_PLUS, offer enhanced stealth and features.
• Both variants have been actively used against government entities in multiple countries.
• The evolution of SprySOCKS signifies a larger threat landscape for cybersecurity.
• Proactive defense strategies become essential to combat such sophisticated malware.

Background on FishMonger and SprySOCKS

FishMonger, also tracked as Earth Lusca and various other names, has been active in global espionage operations since at least 2021. Initially identified in Linux environments, SprySOCKS has previously targeted government organizations across Southeast Asia and Latin America. According to ESET researchers, two new Windows variants—internally designated WIN_DRV and WIN_PLUS—have been discovered, which further extend the malware’s capabilities and stealth measures (source).

Key Details of the Windows Variants

Enhanced Capabilities

The WIN_DRV variant operates with a kernel driver, providing advanced stealth by concealing processes, files, and network connections, and rerouting TCP traffic to obscure its operations. The WIN_PLUS variant, while lacking the kernel-mode driver, shares core functionalities with WIN_DRV (source). Both variants feature support for various communication protocols, including TCP, UDP, and WebSocket, alongside over 30 C2 commands for system reconnaissance, file manipulation, and tunneling traffic through an embedded SOCKS proxy.

Timeline of Discovery and Usage

Both the WIN_DRV and WIN_PLUS variants were actively used against government organizations in Honduras, Taiwan, Thailand, and Pakistan during 2023-2024. The first detection of a WIN_PLUS sample occurred in July 2024, indicating rapid deployment within targeted networks (source).

Impact of the SprySOCKS Expansion

Affected Parties

The primary victims identified so far include government entities in several countries, such as Honduras, Taiwan, Thailand, and Pakistan. This indicates a targeted approach focused on espionage rather than financial gain, aligning with past operations by FishMonger which have historically aimed at high-value institutions, including NGOs and media organizations (source).

Broader Implications

The evolution of SprySOCKS from a Linux-only backdoor to a cross-platform threat represents a significant escalation in the sophistication and reach of FishMonger’s operations. The introduction of kernel-level stealth will complicate detection and remediation efforts. As security agencies strive to safeguard sensitive data, the risks posed by malware with such robust capabilities highlight the necessity for ongoing vigilance and proactive defense strategies.

What’s Next

The expansion of the SprySOCKS backdoor demands increased scrutiny from security professionals, particularly in regions already impacted by these attacks. Organizations should prioritize patch management of public-facing services and maintain rigorous monitoring of network traffic for unusual patterns indicative of potential breaches. The potential for similar attacks in broader regions, including India, should not be underestimated, even if no specific intrusions have been reported in the country to date.

As FishMonger continues to iterate on its operational toolset, the global cybersecurity community will need to enhance defenses against this evolving threat landscape. The growing capabilities of malware like SprySOCKS mark a significant challenge in safeguarding national and international interests amidst an increasingly complex cyber warfare environment.

FAQ Section

What is the SprySOCKS backdoor?

SprySOCKS is a malware backdoor initially developed for Linux systems which has now been ported to Windows, featuring advanced stealth and command-and-control capabilities.

Who is behind the FishMonger group?

FishMonger is a cyber-espionage group believed to have links to China, involved in high-value political and governmental espionage operations since at least 2021.

Which countries have been targeted by the SprySOCKS variants?

The targeted countries include Honduras, Taiwan, Thailand, and Pakistan, with evidence of attacks occurring throughout 2023 and 2024.

How can organizations safeguard against such threats?

Organizations should invest in patch management, monitor network traffic, and develop proactive cybersecurity strategies to detect and mitigate potential breaches.