{"id":380,"date":"2026-06-17T06:10:20","date_gmt":"2026-06-17T06:10:20","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/06\/17\/fishmongers-arsenal-upgraded-sprysocks-for-windows\/"},"modified":"2026-06-17T06:10:20","modified_gmt":"2026-06-17T06:10:20","slug":"fishmongers-arsenal-upgraded-sprysocks-for-windows","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/06\/17\/fishmongers-arsenal-upgraded-sprysocks-for-windows\/","title":{"rendered":"FishMonger\u2019s arsenal upgraded: SprySOCKS for Windows"},"content":{"rendered":"<div>\n<p>ESET researchers have discovered two as-yet undocumented Windows variants of <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/elf.spry_socks\">SprySOCKS<\/a>, a previously Linux-only backdoor <a href=\"https:\/\/thehackernews.com\/2023\/09\/earth-luscas-new-sprysocks-linux.html\">reportedly<\/a> used by FishMonger, the group believed to be operated by a Chinese contractor named I\u2011SOON. While we initially discovered the malware samples on VirusTotal, ESET telemetry shows real activity between 2023 and 2024, with several victims in Honduras, Taiwan, Thailand, and Pakistan, targeting mostly government organizations.<\/p>\n<p>The Windows variants discovered are internally marked as <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> and <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>. Both come with a hardcoded C&amp;C configuration and support communication over TCP, UDP, and WebSocket protocols. The core backdoor functionality for both includes support for over 30 C&amp;C commands, covering various functionalities including system information collection, process enumeration, as well as service management and file management functions such as listing, creating, deleting, and transferring files.<\/p>\n<p>In addition to the core backdoor functionality, the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> version utilizes kernel drivers to hide the malware\u2019s network connections, processes, files, and registry keys, and enables TCP traffic diversion allowing the malware operators to send commands to the backdoor through a random TCP port on the victim\u2019s device without exposing the backdoor&#8217;s real listening port in the network traffic.<\/p>\n<p>Based on ESET telemetry, there are limited indications that some SprySOCKS attack scenarios may involve a UEFI bootkit component, possibly exploiting CVE\u20112023\u201124932.<\/p>\n<p>The analysis provided in this report leads us to attribute these new, Windows variants to FishMonger with high confidence.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>We discovered two previously undocumented Windows variants of FishMonger\u2019s <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/elf.spry_socks\">SprySOCKS<\/a> backdoor.<\/li>\n<li>ESET telemetry shows activity between 2023 and 2024, primarily targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan.<\/li>\n<li>Both Windows variants support communication over TCP, UDP, and WebSocket protocols, and implement over 30 commands.<\/li>\n<li>The <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant creates a stealthy passive TCP backdoor, relying on a kernel driver to redirect traffic to the backdoor\u2019s hidden TCP port whenever specially crafted data is detected inside a received TCP packet.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>FishMonger profile<\/h2>\n<p>FishMonger \u2013 believed to be operated by a Chinese contractor named I\u2011SOON (see our <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q4-2023-q1-2024.pdf\" target=\"_blank\" rel=\"noopener\">Q4 2023\u2013Q1 2024 APT Activity Report<\/a>) \u2013 is a cyberespionage group that falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu. It is also known as Earth Lusca, TAG-22, Aquatic Panda, or Red Dev 10. We published an analysis of FishMonger in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. The group is also known to operate watering-hole attacks, as reported by <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\" target=\"_blank\" rel=\"noopener\">Trend Micro<\/a>. FishMonger\u2019s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.<\/p>\n<h2>Technical analysis<\/h2>\n<p>In this section, we provide a technical analysis of these new, Windows variants of FishMonger\u2019s SprySOCKS backdoor.<\/p>\n<p>The archive that led us to this discovery was uploaded to VirusTotal in April 2024 under the name <span style=\"font-family: courier new, courier, monospace;\">klelam00007.zip<\/span>; its contents are shown in Figure\u00a01.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Contents of klelam00007.zip as displayed on VirusTotal\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-1.png\" alt=\"Figure 1. Contents of klelam00007.zip as displayed on VirusTotal\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Contents of <\/em><span style=\"font-family: courier new, courier, monospace;\">klelam00007.zip<\/span><em> as displayed on VirusTotal<\/em><\/figcaption><\/figure>\n<p>This archive contains various files, including legitimate ones used to host DLL side-loading, and three suspicious-looking, encrypted files with <span style=\"font-family: courier new, courier, monospace;\">.dat<\/span> extensions. Our subsequent analysis revealed that these encrypted files contain a new, previously undocumented Windows variant of FishMonger\u2019s SprySOCKS backdoor, labeled <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> by its developers. Further investigation revealed an additional backdoor version, labeled <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>, in ESET Telemetry.<\/p>\n<h3>Initial access<\/h3>\n<p>FishMonger has been known for targeting the public-facing servers of its victims, often exploiting server-based N-day vulnerabilities, to gain initial access. While we were not able to confirm the exact way FishMonger got into its victims\u2019 systems in this campaign, the presence of a server operating system on some of the victim devices along with FishMonger\u2019s typical modus operandi suggest that the attackers may well have got in through misconfigured or unpatched public-facing applications.<\/p>\n<h3>SprySOCKS for Windows<\/h3>\n<p>In September 2023, Trend Micro published a <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/i\/earth-lusca-employs-new-linux-backdoor.html\" target=\"_blank\" rel=\"noopener\">report<\/a> about a new FishMonger Linux backdoor that its analysts named SprySOCKS. The code of the backdoor is based on an open-source Windows remote access trojan (RAT) named <a href=\"https:\/\/github.com\/RamadhanAmizudin\/malware\/tree\/master\/Trochilus\" target=\"_blank\" rel=\"noopener\">Trochilus<\/a>, and shares several common characteristics with the <a href=\"https:\/\/blogs.jpcert.or.jp\/en\/2017\/04\/redleaves---malware-based-on-open-source-rat.html\" target=\"_blank\" rel=\"noopener\">RedLeaves backdoor<\/a>; nevertheless, it was extended and modified enough to be considered a new backdoor. In this report, we analyze two as yet undisclosed Windows variants of v1.8 of SprySOCKS:<\/p>\n<ul>\n<li>One has been named <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> by its developers and uses a kernel driver for advanced stealth.<\/li>\n<li>Another, without the driver, is named <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>.<\/li>\n<\/ul>\n<p>As shown in Figure\u00a02, the backdoor version type and number are hardcoded in the binary.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Version type and number hardcoded in WIN_DRV (left) and WIN_PLUS (right) Windows SprySOCKS backdoor variants\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-2.png\" alt=\"Figure 2. Version type and number hardcoded in WIN_DRV and WIN_PLUS\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Version type and number hardcoded in <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span><em> (left) and <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span><em> (right) Windows SprySOCKS backdoor variants<\/em><\/figcaption><\/figure>\n<p>The vast majority of artifacts and functionality present in the Linux version of the SprySOCKS backdoor introduced in Trend Micro\u2019s <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\">report<\/a> can also be found in the newly discovered Windows SprySOCKS variants described in this report. These include:<\/p>\n<ul>\n<li>the same C&amp;C message format,<\/li>\n<li>very similar C&amp;C commands (plus some additional ones),<\/li>\n<li>the same encryption keys and algorithms, and<\/li>\n<li>the use of the same statically linked networking library (<a href=\"https:\/\/github.com\/ldcsaa\/HP-Socket\">HP-Socket<\/a>).<\/li>\n<\/ul>\n<p>For both of these new SprySOCKS variants, the core backdoor functionality involving C&amp;C communication and available commands is very similar. The most notable differences can be spotted in the way the final backdoor is loaded, in the improved stealthiness, and in the component names and paths used.<\/p>\n<p>In the following subsections, we first analyze components involved in the execution chain of individual SprySOCKS variants, and then we describe the backdoor component, which is mostly the same for both variants.<\/p>\n<h4>WIN_DRV components<\/h4>\n<p>In an archive uploaded to VirusTotal, we discovered the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> version of SprySOCKS, which comes with an empty C&amp;C configuration. As a result, this version does not actively contact any remote addresses; however, it is still capable of launching a TCP server on a random port on the victim\u2019s device, thus acting as a passive backdoor. Interestingly, the attackers don\u2019t need to know this server\u2019s TCP port number because, as explained later, the RawWNPF driver used by the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> version allows silent diversion \u2013 to the backdoor itself \u2013 of TCP traffic received on any open port (more in the <em><a href=\"#RawWNPF driver\">RawWNPF driver<\/a> <\/em>section).<\/p>\n<p>As shown in Figure\u00a01, the archive containing the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> version of SprySOCKS contains several files:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">klelam00007.bat<\/span> \u2013 a batch script responsible for persisting the backdoor. As shown in Figure 3, it:<\/li>\n<\/ul>\n<p style=\"margin-top: 1em; padding-left: 20px; font-size: 0.9em; display: flex; align-items: flex-start; gap: 0.6em;\"><span style=\"color: #00a0a0; font-size: 1em; line-height: 1.4em; flex-shrink: 0;\">\u25cb<\/span> <span style=\"margin: 0;\">copies all files from the current working directory into the <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts<\/span> directory (to function properly, the batch file needs to be deployed in the same directory as the rest of the files from the archive),<\/span><\/p>\n<p style=\"margin-top: 1em; padding-left: 20px; font-size: 0.9em; display: flex; align-items: flex-start; gap: 0.6em;\"><span style=\"color: #00a0a0; font-size: 1em; line-height: 1.4em; flex-shrink: 0;\">\u25cb<\/span> <span style=\"margin: 0;\">creates a scheduled task named <span style=\"font-family: courier new, courier, monospace;\">ApphostRagistreationVerifier<\/span>, configured to execute <span style=\"font-family: courier new, courier, monospace;\">ApphostRagistreationVerifier.exe<\/span> (which is a legitimate, validly signed executable, renamed by the attackers to mimic the legitimate Microsoft-signed <span style=\"font-family: courier new, courier, monospace;\">AppHostRegistrationVerifier.exe<\/span>) with <span style=\"font-family: courier new, courier, monospace;\">NT AUTHORITY\\SYSTEM<\/span> privileges on every system start. The attackers use the well-known <a href=\"https:\/\/attack.mitre.org\/versions\/v15\/techniques\/T1574\/002\/\" target=\"_blank\" rel=\"noopener\">DLL side-loading<\/a> technique, taking advantage of the way Windows loads DLLs, to load their own malicious DLL (in this case <span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span>) by using a legitimate, signed application. To be specific, in this case the attackers use <a href=\"https:\/\/r136a1.dev\/2025\/12\/03\/malware-sideloading-via-mfc-satellite-dlls\/\" target=\"_blank\" rel=\"noopener\">Malware Sideloading via MFC Satellite DLLs<\/a> technique (note the <span style=\"font-family: courier new, courier, monospace;\">loc<\/span> string in the <span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span> filename),<\/span><\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">ApphostRagistreationVerifier.exe<\/span> \u2013 a legitimate, ThinPrint\u2019 AutoConnect printer creation service signed executable (SHA\u20111: <span style=\"font-family: courier new, courier, monospace;\">FFC3AA7909D4E72C360D65A1F45260DFFE5C99B7<\/span>) that loads the <span style=\"font-family: courier new, courier, monospace;\">tpsvc.dll<\/span> library,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">tpsvc.dll<\/span> \u2013 a legitimate, signed library that loads the <span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span> library,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span> \u2013 the SprySOCKS backdoor loader,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">X1B5206BDC1743DD.dat<\/span> \u2013 an encrypted container comprising the SprySOCKS backdoor and copies of the next two files,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">KX1B5206BDC1743DD.dat<\/span> \u2013 DriverLoader, an encrypted kernel driver responsible for loading another kernel driver from <span style=\"font-family: courier new, courier, monospace;\">KW1B5206BDC1743FP.dat<\/span>, and<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">KW1B5206BDC1743FP.dat<\/span> \u2013 RawWNPF, an encrypted kernel driver responsible for hiding the backdoor\u2019s files and network activity.<\/li>\n<\/ul>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. klelam00007.bat setting up persistence for the SprySOCKS backdoor (newlines added for readability)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-3.png\" alt=\"Figure 3. klelam00007.bat setting up persistence for the SprySOCKS backdoor\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. <\/em><span style=\"font-family: courier new, courier, monospace;\">klelam00007.bat<\/span><em> setting up persistence for the SprySOCKS backdoor (newlines added for readability)<\/em><\/figcaption><\/figure>\n<p>Figure\u00a04 depicts the execution chain of the SprySOCKS <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. Execution chain of the SprySOCKS WIN_DRV variant\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-4.png\" alt=\"Figure 4. Execution chain of the SprySOCKS WIN_DRV variant\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. Execution chain of the SprySOCKS <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span><em> variant<\/em><\/figcaption><\/figure>\n<p>The following three subsections provide technical analyses of the aforementioned components: SprySOCKS loader, DriverLoader driver, and RawWNPF driver.<\/p>\n<h5>SprySOCKS loader<\/h5>\n<p>The loader starts with initial checks for the presence of a virtual environment and a few security products. It looks for specific libraries (namely: <span style=\"font-family: courier new, courier, monospace;\">snxhk.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SxWrapper.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SxIn.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SXIn64.dll<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">SbieDll.dll<\/span>) in the loader\u2019s process, and exits if it finds any of them.<\/p>\n<p>As the next step, it verifies whether persistence was set successfully by the <span style=\"font-family: courier new, courier, monospace;\">klelam00007.bat<\/span> script, from Figure\u00a03. To do so, it checks whether the current loader\u2019s image was loaded from the %SystemRoot%\\Fonts\\ directory, and tries to access the <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\X1B5206BDC1743DD.dat<\/span>, <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\\u200ctpsvc.dll<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\tpsvcloc.dll<\/span> files. If it finds that any of these files are not where they are supposed to be, it sets up persistence on its own by:<\/p>\n<ul>\n<li>copying <span style=\"font-family: courier new, courier, monospace;\">X1B5206BDC1743DD.dat<\/span>, <span style=\"font-family: courier new, courier, monospace;\">tpsvc.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">ApphostRagistreationVerifier.exe<\/span> from the current working directory into the <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\<\/span> directory,<\/li>\n<li>registering the <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\ApphostRagistreationVerifier.exe<\/span> application as a debugger for <span style=\"font-family: courier new, courier, monospace;\">vds.exe<\/span> (a Virtual Disk Service that can be automatically executed on system start) by writing the application\u2019s path into the registry value <span style=\"font-family: courier new, courier, monospace;\">HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vds.exe\\debugger<\/span>, and<\/li>\n<li>dropping the <span style=\"font-family: courier new, courier, monospace;\">affair-build.bat<\/span> file into the <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\<\/span> directory and then executing it via <span style=\"font-family: courier new, courier, monospace;\">cmd.exe<\/span>. This script, shown in Figure 5, clears traces of this process by removing files from the deployment directory and executing the malware again (now from <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\<\/span>) by restarting the <span style=\"font-family: courier new, courier, monospace;\">vds<\/span> service.<\/li>\n<\/ul>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. affair-build.bat executed by the SprySOCKS loader\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-5.png\" alt=\"Figure 5. affair-build.bat executed by the SprySOCKS loader\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. <\/em><span style=\"font-family: courier new, courier, monospace;\">affair-build.bat<\/span><em> executed by the SprySOCKS loader<\/em><\/figcaption><\/figure>\n<p>When persistence is set, the loader continues with loading payloads from an encrypted container located at <span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\X1B5206BDC1743DD.dat<\/span>. The decryption algorithm and key: 128-bit AES in ECB mode with the hardcoded key <span style=\"font-family: courier new, courier, monospace;\">uXQLESMXGaRMs6BL<\/span>.<\/p>\n<p>This produces shellcode generated by the <a href=\"https:\/\/github.com\/killeven\/DllToShellCode\">DllToShellCode<\/a> open-source tool. Before executing the shellcode, it extracts the rest of the encrypted payloads from the container into separate files:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\KX1B5206BDC1743DD.dat<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">%SystemRoot%\\Fonts\\KW1B5206BDC1743FP.dat<\/span><\/li>\n<\/ul>\n<p>When done, the loader spawns a new svchost.exe process using <span style=\"font-family: courier new, courier, monospace;\">CreateProcessAsUserW<\/span> with a token obtained from <span style=\"font-family: courier new, courier, monospace;\">spoolsv.exe<\/span>, and injects the backdoor\u2019s shellcode into the process by using the <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/013\/\">process doppelg\u00e4nging<\/a> technique. During the injection process, the shellcode is dropped into a temporary file, using the prefix <span style=\"font-family: courier new, courier, monospace;\">TH<\/span> in its filename, within the <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span> directory.<\/p>\n<p>As the last step, the loader proceeds to decrypt and execute DriverLoader, a kernel driver hidden inside the previously dropped <span style=\"font-family: courier new, courier, monospace;\">KX1B5206BDC1743DD.dat<\/span> file. DriverLoader is first decrypted, then the decrypted contents are saved to <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\System32\\drivers\\fsdiskbit.sys<\/span>. To execute it, the loader installs this driver as a <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ifs\/filter-manager-concepts\">minifilter<\/a> driver by manually creating a new service registry key named msidiskserver with an <span style=\"font-family: courier new, courier, monospace;\">ImagePath<\/span> value pointing to the dropped driver (as shown in Figure\u00a06) and invokes the <span style=\"font-family: courier new, courier, monospace;\">NtLoadDriver<\/span> Windows API function with the registry key as the parameter to load it. If no errors are detected, the loader deletes both the <span style=\"font-family: courier new, courier, monospace;\">msidiskserver<\/span> registry key and the <span style=\"font-family: courier new, courier, monospace;\">fsdiskbit.sys<\/span> file. After this, the loader is done and exits.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Service registry key created by the SprySOCKS WIN_DRV loader\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-6.png\" alt=\"Figure 6. Service registry key created by the SprySOCKS WIN_DRV loader\" width=\"\" height=\"\"\/><figcaption><em>Figure 6. Service registry key created by the SprySOCKS <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span><em> loader<\/em><\/figcaption><\/figure>\n<h5>DriverLoader driver<\/h5>\n<p>Before jumping to DriverLoader\u2019s functionality, one important note: with the release of Windows Vista, Microsoft introduced driver signature enforcement (DSE), a feature ensuring that only validly signed kernel-mode components are allowed to be executed in the Windows kernel. This means that to execute the <span style=\"font-family: courier new, courier, monospace;\">fsdiskbit.sys<\/span> driver (DriverLoader), attackers need to sign it with a trusted certificate.<\/p>\n<p>To make the driver work on at least some outdated or misconfigured systems, the attackers used a leaked certificate available on GitHub in the <a href=\"https:\/\/github.com\/utoni\/PastDSE\/tree\/main\/certs\" target=\"_blank\" rel=\"noopener\">PastDSE<\/a> project repository, and signed the <span style=\"font-family: courier new, courier, monospace;\">fsdiskbit.sys<\/span> driver with it. Information about the certificate used can be found in Figure\u00a07.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 65%; margin: 0 auto; display: block;\" title=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-7.png\" alt=\"Figure 7. DriverLoader\u2019s code-signing certificate\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. DriverLoader\u2019s code-signing certificate<\/em><\/figcaption><\/figure>\n<p>Now to the functionality. The purpose of this component is quite straightforward: to load another driver, this time in memory only. First, it reads and decrypts the contents of the <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\Fonts\\KW1B5206BDC1743FP.dat<\/span> file, previously created by the loader. It uses the same algorithm and key as used by the loader: 128-bit AES in ECB mode with the key <span style=\"font-family: courier new, courier, monospace;\">uXQLESMXGaRMs6BL<\/span>. The decrypted data contains a native PE binary (described in the <em><a href=\"#RawWNPF driver\">RawWNPF driver<\/a> <\/em>section), which is then manually mapped and its entry point executed.<\/p>\n<p>There is the PDB path embedded in the DriverLoader binary:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">C:\\Users\\xdd\\Desktop\\\u4eca\u5929\\2023-4-11\\2023\u201104\u201110__\u6ce8\u518c\u8868\u9a71\u52a8\u52a0\u8f7d\u529f\u80fd__\u96c6\u6210\u5230\u5185\u6d4b3\u4e2d-\u672a\u5b8c\u6210\\DriverMemoryLoadDriver\\x64\\Release\\DriverMemoryLoadDriver.pdb<\/span><\/p>\n<p>The parts in simplified Chinese machine translate as:<\/p>\n<ul>\n<li>\u4eca\u5929: Today<\/li>\n<li>\u6ce8\u518c\u8868\u9a71\u52a8\u52a0\u8f7d\u529f\u80fd__\u96c6\u6210\u5230\u5185\u6d4b3\u4e2d-\u672a\u5b8c\u6210: Registry driver loading function__is integrated into internal beta 3-not completed<\/li>\n<\/ul>\n<p>As we can see in the symbols path, this component seems to have been in development at least since April 2023, which aligns with DriverLoader\u2019s compilation timestamp. Similarly, strings in the path suggest that the project this driver is part of was likely still in development when the driver was compiled.<\/p>\n<h5>RawWNPF driver<a id=\"RawWNPF driver\"\/><\/h5>\n<p>The RawWNPF driver is the component that makes the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> version of the SprySOCKS backdoor much stealthier when compared to the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant. It allows hiding the backdoor\u2019s malicious activity on the compromised system, and can be configured by invoking the driver\u2019s custom I\/O control codes (IOCTLs). The driver creates a device driver named <span style=\"font-family: courier new, courier, monospace;\">\\Device\\RawWNPF<\/span>; a list of the available IOCTLs, with short descriptions, is shown in Table\u00a01.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a01. List of IOCTLs handled by the RawWNPF driver<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"94\"><strong>IOCTL<\/strong><\/td>\n<td width=\"548\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span><\/td>\n<td width=\"548\">Configure the driver to hide active network connections to and from the specified local TCP port.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220300<\/span><\/td>\n<td width=\"548\">Unhide the network connections configured with <span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220340<\/span><\/td>\n<td width=\"548\">Insert an entry into the hidden connections list.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220344<\/span><\/td>\n<td width=\"548\">Remove an entry from the hidden connections list.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220348<\/span><\/td>\n<td width=\"548\">Wipe the whole hidden connections list.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x22034C<\/span><\/td>\n<td width=\"548\">Read the hidden connections list.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220350<\/span><\/td>\n<td width=\"548\">Insert a process with a specified PID into the hidden processes list.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220354<\/span><\/td>\n<td width=\"548\">Remove a process with a specified PID from the hidden processes list.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220358<\/span><\/td>\n<td width=\"548\">Wipe the whole hidden processes list.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x22035C<\/span><\/td>\n<td width=\"548\">Read the hidden processes list.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x222000<\/span><\/td>\n<td width=\"548\">Initialize the driver\u2019s main functions (hiding network connections, hiding processes, hiding malware components, network filters, persistence protection). After this initialization, other IOCTLs can be used to configure what exactly should be hidden.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x222004<\/span><\/td>\n<td width=\"548\">Returns two hardcoded DWORD values: <span style=\"font-family: courier new, courier, monospace;\">1<\/span> and <span style=\"font-family: courier new, courier, monospace;\">2<\/span>. This possibly could be the driver\u2019s version.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x222008<\/span><\/td>\n<td width=\"548\">Delete the driver\u2019s binary (if it exists).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h6>Hiding specified processes<\/h6>\n<p>The RawWNPF driver can be configured to hide processes based on their process IDs, and a list of hidden processes can be managed by invoking the driver\u2019s IOCTLs <span style=\"font-family: courier new, courier, monospace;\">0x220358<\/span>, <span style=\"font-family: courier new, courier, monospace;\">0x22035C<\/span>, <span style=\"font-family: courier new, courier, monospace;\">0x220354<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">0x220350<\/span>. To hide a process, the driver hooks execution of the <span style=\"font-family: courier new, courier, monospace;\">NtQuerySystemInformation<\/span> system call and modifies its output if information about running processes is being retrieved (i.e., if <span style=\"font-family: courier new, courier, monospace;\">SystemProcessInformation<\/span> is passed to the <span style=\"font-family: courier new, courier, monospace;\">SystemInformationClass<\/span> parameter). If any of the processes retrieved by this API function match a process from the driver\u2019s list of hidden processes, the driver removes this process from the function\u2019s output. The way the kernel driver hooks the <span style=\"font-family: courier new, courier, monospace;\">NtQuerySystemInformation<\/span> system call seems to be heavily based on source code from the <a href=\"https:\/\/github.com\/FiYHer\/InfinityHookPro\">InfinityHookPro<\/a> project.<\/p>\n<h6>Hiding network activity<\/h6>\n<p>The driver can be configured to hide specific active connections (with a specified IP, port, or combination of both) so that they won\u2019t be listed in the output of common network administration tools such as <span style=\"font-family: courier new, courier, monospace;\">netstat.exe<\/span>. This is achieved by a well-known technique (e.g., <a href=\"https:\/\/repnz.github.io\/posts\/autochk-rootkit-analysis\/#network-connections-hiding\">[1]<\/a>, <a href=\"https:\/\/securelist.com\/ghostemperor-from-proxylogon-to-kernel-mode\/104407\/\">[2]<\/a>, <a href=\"https:\/\/github.com\/claudiouzelac\/rootkit.com\/blob\/c8869de5a947273c9c151b44aa39643a7fea531c\/cardmagic\/PortHidDemo_Vista.c\">[3]<\/a>, \u2026 ), where attackers hook <span style=\"font-family: courier new, courier, monospace;\">IoCompletionRoutine<\/span> for IOCTL <span style=\"font-family: courier new, courier, monospace;\">0x12001B<\/span> inside the <span style=\"font-family: courier new, courier, monospace;\">DeviceIoControl<\/span> function of the <span style=\"font-family: courier new, courier, monospace;\">nsiproxy.sys<\/span> Windows kernel driver. The code inside nsiproxy\u2019s <span style=\"font-family: courier new, courier, monospace;\">0x12001B<\/span> IOCTL handler is responsible for retrieving the list of active connections, and hooking its <span style=\"font-family: courier new, courier, monospace;\">IoCompletionRoutine<\/span> allows attackers to walk through the retrieved list, check for the presence of specific ports, addresses, or both, and hide the specific connection in the list if a match is found. Figure\u00a08 shows the hook function responsible for hiding network connections.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. Hex-Rays decompilation of nsiproxy\u2019s IoCompletionRoutine hook responsible for hiding network connections\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-8.png\" alt=\"Figure 8. Hex-Rays decompilation of nsiproxy\u2019s IoCompletionRoutine hook\" width=\"\" height=\"\"\/><figcaption><em>Figure 8. Hex-Rays decompilation of nsiproxy\u2019s <\/em><span style=\"font-family: courier new, courier, monospace;\">IoCompletionRoutine<\/span><em> hook responsible for hiding network connections<\/em><\/figcaption><\/figure>\n<p>In addition to the hiding of active network connections, the driver contains an interesting functionality allowing it to divert TCP packets received on any open TCP port, to the specified TCP port configured by the IOCTL <span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span> (it\u2019s actually the port of the SprySOCKS backdoor\u2019s TCP server), but only in the case that the TCP data received contains specially crafted data. To achieve this, the driver registers its own packet filter objects using Windows Filtering Platform (WFP) API functions, manually parses contents of transferred IPv4 packets (both inbound and outbound traffic is inspected), and proceeds to divert the traffic if the specially crafted data is detected inside a received TCP packet data. The purpose of this feature seems to be mainly a capability to contact the malicious backdoor without the need to embed a C&amp;C address inside the binary. Additionally, even though such diverted traffic can be inspected using tools such as Wireshark, the real port (the one the traffic is diverted to) is not revealed; thus it can be difficult to investigate the real destination for this malicious traffic.<\/p>\n<p>Installed packet filters, along with their identifying information, are listed in Table\u00a02.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a02. WFP filter objects registered by the RawWNPF driver<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"160\"><strong>Filter layer name<\/strong><\/td>\n<td width=\"265\"><strong>Filter object name and GUID<\/strong><\/td>\n<td width=\"218\"><strong>Filter object callout name and GUID<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">Inbound IP Packet v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Delivery Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{E980088D-BE44-4057-8E5C-C7FDF8968795}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COInbound<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{DE0D7F67-94ED-4DDB-8215-9C028B54661B}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">Outbound IP Packer v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Delivery Optimization (TCP-Out)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{33F76397-DBCB-445E-8EC3-AA51ED302D15}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COOutbound<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{8280DDF3-7489\u20114402-B9D8-96B50912346B}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">ALE Connect v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Delivery Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{5746AF70-2917\u20114861-97E6-D5E4DD569F2D}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COAuthConnect<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{A33E1AA8-9B0F-44A3-B24A-AEB04CA54C3B}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">ALE Listen v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Delivery Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{7CB4DFB4-0D20-402D-A49D-BA9660D026E6}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COAuthListen<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{40045FAF-6BAE-4B48-9119\u201131B48FFEA629}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">ALE Receive\/Accept v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Delivery Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{2C1AB6EF-0B65-4634\u20118666-BCB2CF9C72E9}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COAuthAccept<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{DDFE5189\u2011389F-437F-9B92-59495ED2181A}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">ALE ResourceAssignment v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Delivery Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{B4AE248F-98D5-446F-88EB-14CF605AE722}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COAuthResAssignment<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{FE570356-A1A9-413C-94CC-BD6C448E9969}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h6>Hiding the backdoor\u2019s files<\/h6>\n<p>The driver hides\/protects the SprySOCKS backdoor\u2019s files by registering itself as a minifilter driver, and installing the following callbacks:<\/p>\n<ul>\n<li>pre-operation callback triggered on every <span style=\"font-family: courier new, courier, monospace;\">IRP_MJ_CREATE<\/span> I\/O request and responsible for returning <span style=\"font-family: courier new, courier, monospace;\">STATUS_NO_SUCH_FILE<\/span> on every attempt to create or open a file or a directory from the driver\u2019s list of hidden\/protected files,<\/li>\n<li>pre-operation callback triggered on every <span style=\"font-family: courier new, courier, monospace;\">IRP_MJ_DIRECTORY_CONTROL I\/O<\/span> request and responsible for filtering out non-directory-enumeration related requests, so that only the ones related to directory enumeration are passed to the post-operation callback, and<\/li>\n<li>post-operation callback triggered on <span style=\"font-family: courier new, courier, monospace;\">IRP_MJ_DIRECTORY_CONTROL I\/O<\/span> requests that passed pre-operation callback checks. This callback is responsible for removing entries of hidden\/protected files from any directory listing attempts.<\/li>\n<\/ul>\n<p>The following hardcoded list of filenames are protected by the driver:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\SystemRoot\\Fonts\\tpsvc.dll<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\SystemRoot\\Fonts\\tpsvcloc.dll<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\SystemRoot\\Fonts\\ApphostRagistreationVerifier.exe<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\SystemRoot\\Fonts\\X1B5206BDC1743DD.dat<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\SystemRoot\\Fonts\\KX1B5206BDC1743DD.dat<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">\\SystemRoot\\Fonts\\KW1B5206BDC1743FP.dat<\/span><\/li>\n<\/ul>\n<h6>Protecting persistence<\/h6>\n<p>The driver calls <span style=\"font-family: courier new, courier, monospace;\">CmRegisterCallbackEx<\/span> to install a <span style=\"font-family: courier new, courier, monospace;\">RegistryCallback<\/span> routine responsible for hiding the registry key used for the SprySOCKS loader\u2019s persistence: <span style=\"font-family: courier new, courier, monospace;\">HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vds.exe<\/span>. As a result, all attempts to open or enumerate the key are filtered out by the driver.<\/p>\n<h4>WIN_PLUS components<\/h4>\n<p>In the SprySOCKS <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> version, we first discovered the malicious encrypted container in our telemetry, with the first hit dating back to July 2024 found on the device of a victim in Pakistan. It contained the SprySOCKS backdoor and the SprySOCKS loader. The C&amp;C configuration was present and is shown in Figure\u00a09.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 9. C&amp;C configuration from the WIN_PLUS version of SprySOCKS\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-9.png\" alt=\"Figure 9. C&amp;C configuration from the WIN_PLUS version of SprySOCKS\" width=\"\" height=\"\"\/><figcaption><em>Figure 9. C&amp;C configuration from the <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span><em> version of SprySOCKS<\/em><\/figcaption><\/figure>\n<p>The encrypted container was located at the following path on the compromised system:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\System32\\spool\\drivers\\color\\config.dat<\/span><\/p>\n<p>When decrypted, the container contains a SprySOCKS loader and the SprySOCKS backdoor itself. Further analysis of the SprySOCKS backdoor from the container showed that, in this case, there seemed to be an additional component responsible for loading the SprySOCKS loader from the encrypted container. This component \u2013 referenced to as the first-stage loader in this analysis \u2013 should be installed as a <a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/012\/\">print processor<\/a> under the following registry key:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\VSPMsg<\/span><\/p>\n<p>Interestingly, when we searched our telemetry for anything related to this <span style=\"font-family: courier new, courier, monospace;\">VSPMsg<\/span> string, we discovered a file deployed on two different victim devices from Honduras at <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\System32\\spool\\prtprocs\\x64\\VSPMsg.dll<\/span>. This file turned out to be the first-stage loader responsible for executing the SprySOCKS loader from the aforementioned <span style=\"font-family: courier new, courier, monospace;\">config.dat<\/span> file.<\/p>\n<p>An execution diagram of the SprySOCKS <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant is illustrated in Figure\u00a010.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 10. SprySOCKS WIN_PLUS variant execution scheme\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-10.png\" alt=\"Figure 10. SprySOCKS WIN_PLUS variant execution scheme\" width=\"\" height=\"\"\/><figcaption><em>Figure 10. SprySOCKS <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span><em> variant execution scheme<\/em><\/figcaption><\/figure>\n<h5>First-stage loader<\/h5>\n<p>This loader starts by checking whether it was executed by <span style=\"font-family: courier new, courier, monospace;\">spoolsv.exe<\/span>, and exits if not; this hides its behavior from automated malware analysis sandboxes, as the loader is intended to be run as a print processor. It continues decrypting the SprySOCKS loader from the encrypted container <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\System32\\spool\\drivers\\\u200ccolor\\config.dat<\/span>. First it 128-bit AES-ECB decrypts the loader with the hardcoded key <span style=\"font-family: courier new, courier, monospace;\">uXQLESMXGaRMs6BL<\/span>, then injects it into the newly created <span style=\"font-family: courier new, courier, monospace;\">svchost.exe<\/span> process via <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/013\/\">process doppelg\u00e4nging<\/a>. Meanwhile, the SprySOCKS loader is dropped into a temporary file, with a filename prefix of <span style=\"font-family: courier new, courier, monospace;\">TH<\/span>, within the <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span> directory.<\/p>\n<p>The sample exports two functions:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">GetErrorMessageModule<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">SetErrorMessageModule<\/span><\/li>\n<\/ul>\n<p>While the <span style=\"font-family: courier new, courier, monospace;\">SetErrorMessageModule<\/span> function does not do anything, the <span style=\"font-family: courier new, courier, monospace;\">GetErrorMessageModule<\/span> function is meant to be used to set persistence for the loader itself. When executed, it registers the loader as a print processor by creating the <span style=\"font-family: courier new, courier, monospace;\">HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\VSPMsg<\/span> registry key, setting the <span style=\"font-family: courier new, courier, monospace;\">Driver<\/span> registry value to <span style=\"font-family: courier new, courier, monospace;\">VSPMsg.dll<\/span>, and copying the hardcoded <span style=\"font-family: courier new, courier, monospace;\">C:\\ProgramData\\Microsoft Event\\PFs\\VSPMsg.dll<\/span> to the <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\System32\\spool\\prtprocs\\x64\\<\/span> directory. As the next step, it copies the encrypted container from <span style=\"font-family: courier new, courier, monospace;\">C:\\ProgramData\\Microsoft Event\\PFs\\config.dat<\/span> to <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\System32\\spool\\drivers\\color\\config.dat<\/span> and, when done, it generates and drops the <span style=\"font-family: courier new, courier, monospace;\">affair-build.bat<\/span> batch script into the <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\System32\\spool\\drivers\\color\\<\/span> directory and executes it. As shown in Figure\u00a011, this script\u2019s purpose is to cover the loader\u2019s tracks by removing the files in the original deployment directory, and triggering execution of the newly installed print processor by restarting the print spooler service.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 11. affair-build.bat batch script used by the first-stage SprySOCKS WIN_PLUS loader\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-11.png\" alt=\"Figure 11. affair-build.bat batch script used by the first-stage SprySOCKS WIN_PLUS loader\" width=\"\" height=\"\"\/><figcaption><em>Figure 11. <\/em><span style=\"font-family: courier new, courier, monospace;\">affair-build.bat<\/span><em> batch script used by the first-stage SprySOCKS <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span><em> loader<\/em><\/figcaption><\/figure>\n<h5>SprySOCKS loader<\/h5>\n<p>This loader starts by creating a mutex with the hardcoded name <span style=\"font-family: courier new, courier, monospace;\">fqwhi2d1qaz2<\/span>, and then proceeds to loading the SprySOCKS backdoor from the encrypted container located at <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\System32\\spool\\drivers\\color\\\u200cconfig.dat<\/span>. It 128-bit AES-ECB decrypts the backdoor with the hardcoded key <span style=\"font-family: courier new, courier, monospace;\">uXQLESMXGaRMs6BL<\/span>, then injects it into the newly created svchost.exe process via <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/013\/\">process doppelg\u00e4nging<\/a>. Meanwhile, the SprySOCKS loader is dropped into a temporary file, with a filename prefix of <span style=\"font-family: courier new, courier, monospace;\">TH<\/span>, within the <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span> directory.<\/p>\n<h4>SprySOCKS backdoor<\/h4>\n<p>Finally, we proceed to our analysis of the SprySOCKS backdoor itself. In both variants, <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> and <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>, the backdoor functionality is almost the same, and the differences are only in the specific file paths used, registry keys used, and as already mentioned, the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> version does not use the RawWNPF driver for advanced stealthiness.<\/p>\n<p>Both variants analyzed in this report are DLLs with the original name <span style=\"font-family: courier new, courier, monospace;\">PrcsServer.dll<\/span>, exporting a function named <span style=\"font-family: courier new, courier, monospace;\">Stop<\/span>. They create a mutex named <span style=\"font-family: courier new, courier, monospace;\">prcs-server-run<\/span> in the beginning and right after that proceed to the initialization of the backdoor\u2019s main functionality, which includes initialization and launching of C&amp;C communication channels (based on the hardcoded configuration) and setting up the keylogger. In addition to these actions, the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> backdoor version initializes the RawWNPF driver by invoking its <span style=\"font-family: courier new, courier, monospace;\">0x222000<\/span> IOCTL handler, and then hides its own process by invoking the driver\u2019s <span style=\"font-family: courier new, courier, monospace;\">0x220350<\/span> IOCTL.<\/p>\n<p>Keylogging is activated only if there is an existing INI file at <span style=\"font-family: courier new, courier, monospace;\">%appdata%\\Microsoft\\Vault\\lgf.dat<\/span> that contains a <span style=\"font-family: courier new, courier, monospace;\">config<\/span> section with a property named <span style=\"font-family: courier new, courier, monospace;\">key<\/span> that is set to <span style=\"font-family: courier new, courier, monospace;\">1<\/span>. If these conditions are met, both backdoors create a mutex named <span style=\"font-family: courier new, courier, monospace;\">Global\\{DCAA7ED8-521B-4EAB-BE21-65254CF59239}<\/span> and periodically log clipboard data along with the active window title and keystrokes into the file <span style=\"font-family: courier new, courier, monospace;\">%appdata%\\Microsoft\\Vault\\lg.dat<\/span>. The data in the file is encrypted using a single-byte XOR cipher with the key <span style=\"font-family: courier new, courier, monospace;\">0x44<\/span>.<\/p>\n<h5>C&amp;C communication<\/h5>\n<p>The backdoor supports three protocols for communication with the C&amp;C \u2013 TCP, UDP, and WebSocket \u2013 and can act as both client and server. The networking-related functionality is heavily based on the <a href=\"https:\/\/github.com\/ldcsaa\/HP-Socket\/tree\/master\">HP-Socket<\/a> networking framework, and some cryptography functions were implemented using the <a href=\"https:\/\/github.com\/weidai11\/cryptopp\/tree\/master\">Crypto++<\/a> library.<\/p>\n<p>The C&amp;C configuration is embedded in the backdoor, and can contain:<\/p>\n<ul>\n<li>up to three IP addresses and associated ports, each specifying a C&amp;C IP address and its port for one of the communication channels (TCP, UDP, or WebSocket), and<\/li>\n<li>up to three port numbers, each specifying a port the backdoor should listen on for new connections. One is used for a TCP server, one for a UDP server, and one for a WebSocket server.<\/li>\n<\/ul>\n<p>An example configuration from the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> version is shown in Figure\u00a09 and it contains:<\/p>\n<ul>\n<li>The C&amp;C address and port for the TCP communication channel: <span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36:443<\/span>.<\/li>\n<li>The C&amp;C address and port for the UDP communication channel: <span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36:53<\/span>.<\/li>\n<li>The C&amp;C address and port for the WebSocket communication channel: <span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36:80<\/span>.<\/li>\n<li>The backdoor\u2019s TCP server listening port: <span style=\"font-family: courier new, courier, monospace;\">53781<\/span>.<\/li>\n<\/ul>\n<p>Before initiating any connections or starting a server, the SprySOCKS <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> version hides any connections from\/to the addresses or ports from the configuration by invoking the RawWNPF driver\u2019s IOCTLs <span style=\"font-family: courier new, courier, monospace;\">0x220340<\/span> and <span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span>. As a result, these connections won\u2019t be listed in output of tools such as <span style=\"font-family: courier new, courier, monospace;\">netstat.exe<\/span>, despite being active. In addition, both backdoor versions execute the <span style=\"font-family: courier new, courier, monospace;\">netsh.exe<\/span> utility twice:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">netsh.exe netsh advfirewall firewall delete rule name=\u00bbCore Networking &#8211; Packet Too Big(ICMPv6 &#8211; In)\u00bb<\/span><\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">netsh advfirewall firewall add rule name=\u00bbCore Networking &#8211; Packet Too Big(ICMPv6 &#8211; In)\u00bb dir=in action=allow protocol=tcp localport=53781<\/span><\/p>\n<p>The first command deletes a specified firewall rule, and the second adds a new firewall rule of the same name as the one just deleted, allowing all inbound TCP traffic sent to the backdoor\u2019s TCP server port specified in the configuration.<\/p>\n<p>If the C&amp;C configuration is empty (as in the case of the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> version we discovered on VirusTotal), the backdoor starts a TCP server that listens on a random port on the compromised machine and also hides this port by invoking the RawWNPF driver\u2019s IOCTL <span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span>. This invocation not only hides the TCP server from being listed in standard networking tools\u2019 output, but also activates the TCP-diverting feature provided by the RawWNPF driver. This feature allows attackers to send commands to the backdoor without knowing the real port the backdoor listens on, simply by sending specially crafted TCP data to any open TCP port on the victim\u2019s machine.<\/p>\n<p>For the TCP communication channel, the C&amp;C protocol seems to remain the same as in the Linux version analyzed in Trend Micro\u2019s <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/i\/earth-lusca-employs-new-linux-backdoor.html\">report<\/a>. Each time before sending the actual backdoor\u2019s data, it sends a 12-byte header containing the 32-bit CRC of the rest of the header, a DWORD magic value <span style=\"font-family: courier new, courier, monospace;\">0xACACBCBC<\/span>, and a DWORD specifying the size of the data that follows the header.<\/p>\n<p>For the UDP and WebSocket channels, the magic values are different, and so are the message header format and size. For the UDP channel, the magic value is <span style=\"font-family: courier new, courier, monospace;\">0xACACBFBC<\/span> and it\u2019s located at offset <span style=\"font-family: courier new, courier, monospace;\">0x1C<\/span> in a 36-byte header, followed by a DWORD specifying the size of the data that follows. In the WebSocket channel, the magic value <span style=\"font-family: courier new, courier, monospace;\">0x1BDCCBAA<\/span> is used as a <span style=\"font-family: courier new, courier, monospace;\">Masking-Key<\/span> in the WebSocket <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc6455#section-5.2\">header<\/a>. Figure\u00a012 shows a network traffic capture with the magic values for each of the communication channels.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 12. SprySOCKS network-traffic capture showing the magic values used in TCP, UDP, and WebSocket (from top to bottom, respectively) C&amp;C communication channels\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-12.png\" alt=\"Figure 12. SprySOCKS network-traffic capture showing the magic values\" width=\"\" height=\"\"\/><figcaption><em>Figure 12. SprySOCKS network-traffic capture showing the magic values used in TCP, UDP, and WebSocket (from top to bottom, respectively) C&amp;C communication channels<\/em><\/figcaption><\/figure>\n<p>Following the header is, again, a 32-bit CRC, then the WORD value <span style=\"font-family: courier new, courier, monospace;\">0x0003<\/span> (likely indicating the encryption method), followed by 128-bit AES-ECB mode encrypted data (using the hardcoded key <span style=\"font-family: courier new, courier, monospace;\">QFTHEYjzX3RBOMgZ<\/span>) that has been base64 encoded.<\/p>\n<p>An example of a C&amp;C message before and after decoding and decryption is shown in Figure\u00a013.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 13. Example SprySOCKS C&amp;C message as seen in Wireshark (left), and its contents after decoding and decryption (right)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-13.png\" alt=\"Figure 13. Example SprySOCKS C&amp;C message\" width=\"\" height=\"\"\/><figcaption><em>Figure 13. Example SprySOCKS C&amp;C message as seen in Wireshark (left), and its contents after decoding and decryption (right)<\/em><\/figcaption><\/figure>\n<p>The <span style=\"font-family: courier new, courier, monospace;\">__msgid<\/span> value in the decrypted C&amp;C message is used to specify a command, identified by a message ID, that should be executed by the backdoor. The list of message IDs supported by the backdoor, along with their description, can be found in Table\u00a03. Note that we haven\u2019t analyzed all these commands in depth; therefore, some descriptions are just a rough overview of the part of the code\/functionality the message ID is related to.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a03. SprySOCKS C&amp;C commands; descriptions marked with * are tentative assessments<\/em><\/p>\n<table style=\"height: 774px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><strong>Message\u00a0ID<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"558\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x09<\/span><\/td>\n<td style=\"height: 72px;\" width=\"558\">Collect client (victim) system information, including: computer name, OS version, network adapter information, information about memory, CPU information, current privileges, system language and version, current time, and the backdoor version (<span style=\"font-family: courier new, courier, monospace;\">1.8<\/span>) and version type (<span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> or <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>).<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0A<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Start an interactive console.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0B<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Write into the interactive console.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0D<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Stop the interactive console.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0E<\/span><\/td>\n<td style=\"height: 36px;\" width=\"558\">Specify an additional communication channel (do not start the channel). Likely to specify an additional backup C&amp;C.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0F<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Send C&amp;C message to a different target.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x11<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Enumerate all processes.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x12<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Enumerate modules of a process specified by a PID.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x13<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Terminate a process specified by a PID.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x14<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Close all connections.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x16<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Get current communication channel information.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x17<\/span><\/td>\n<td style=\"height: 36px;\" width=\"558\">Specify additional communication channels (TCP, UDP, or WebSocket) and start them.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x19<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Uninstall the backdoor and exit.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x1E<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Enumerate all services.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x1F<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Configure <span style=\"font-family: courier new, courier, monospace;\">StartType<\/span> for a specified service.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x20<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Start services with a specified name.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x21<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Invoke the <span style=\"font-family: courier new, courier, monospace;\">ControlService<\/span> function with a specified <span style=\"font-family: courier new, courier, monospace;\">dwControl<\/span> parameter.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x22<\/span><\/td>\n<td style=\"height: 36px;\" width=\"558\">Delete a specified service from the service manager. This does not stop the service if it\u2019s running.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x23<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Initialize SOCKS proxy.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x24<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Terminate SOCKS proxy.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x25<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Send data through SOCKS proxy.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x26<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">SOCKS proxy-related command.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x2A<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Upload a specified file.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x2B<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">File-transfer-related helper command.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x2C<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Download a specified file.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x2D<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">File-transfer-related helper command.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x3C<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Enumerate free disk space.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x3D<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">List files in the specified directory.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x3E<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Delete a specified file.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x3F<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Create a specified directory.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x40<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Rename a specified file.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x41<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Execute an existing file.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x42<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Copy a specified file.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x43<\/span><\/td>\n<td style=\"height: 54px;\" width=\"558\">List files from the <span style=\"font-family: courier new, courier, monospace;\">Recent<\/span> Windows directories for the logged-in user:<br \/><span style=\"font-family: courier new, courier, monospace;\">%APPDATA%\\Microsoft\\Windows\\Recent\\<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">%APPDATA%\\Microsoft\\Office\\Recent\\<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Network infrastructure<\/h2>\n<p>Only one C&amp;C address has been discovered in this campaign: <span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36<\/span>, hardcoded in the configuration (shown in Figure\u00a09) of the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant of the SprySOCKS backdoor.<\/p>\n<p>Ports from the configuration that should be used by the backdoor to communicate with the C&amp;C:<\/p>\n<ul>\n<li>TCP: <span style=\"font-family: courier new, courier, monospace;\">443<\/span><\/li>\n<li>UDP: <span style=\"font-family: courier new, courier, monospace;\">53<\/span><\/li>\n<li>WebSocket: <span style=\"font-family: courier new, courier, monospace;\">80<\/span><\/li>\n<\/ul>\n<p>As mentioned in Trend Micro\u2019s report, the IP address <span style=\"font-family: courier new, courier, monospace;\">207.148.75[.]122<\/span>, from the same IP range <span style=\"font-family: courier new, courier, monospace;\">207.148.64.0\/20<\/span> as the C&amp;C above, was used by FishMonger operators as a SprySOCKS delivery server in June 2023. This IP range belongs to the Vultr cloud hosting provider.<\/p>\n<h2>Conclusion<\/h2>\n<p>The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger&#8217;s cross-platform capabilities. Our analysis shows that the Windows port retains most of the core architecture of its Linux predecessor \u2013 including the C&amp;C protocol, encryption used, and overall command handling logic \u2013 while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game. Considering the limited indications of possible UEFI bootkit involvement, we advise everyone to keep a close eye on the group\u2019s activities.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=fishmongers-arsenal-upgraded-sprysocks-windows&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA\u20111<\/strong><\/td>\n<td width=\"104\"><strong>Filename<\/strong><\/td>\n<td width=\"132\"><strong>Detection<\/strong><\/td>\n<td width=\"227\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">955BFC3DCC867256F9F4<wbr\/>6A606DEB0779FA3416D8<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">KX1B5206BDC<wbr\/>1743DD.dat<\/span><\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\">Encrypted SprySOCKS DriverLoader driver.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">44DC4A08C5EB0972C8E1<wbr\/>8B0E01284E06F09006BB<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">bthcam.sys<\/span><\/td>\n<td width=\"132\">Win64\/Agent.ESB<\/td>\n<td width=\"227\">SprySOCKS DriverLoader driver.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">AB87B29B6F79487C75CA<wbr\/>08D102E79001E536F083<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">KW1B5206BDC<wbr\/>1743FP.dat<\/span><\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\">Encrypted SprySOCKS RawWNPF driver.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">6490B8E4AADE25A3EE2D<wbr\/>A9A47F312DB2122470BC<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">X1B5206BDC1<wbr\/>743DD.dat<\/span><\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\">Encrypted container of the encrypted <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant of SprySOCKS backdoor, encrypted SprySOCKS RawWNPF and SprySOCKS DriverLoader drivers.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">E7484C24B88A1A2407A8<wbr\/>F09D734F9A993670285B<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">klelam00007<wbr\/>.zip<\/span><\/td>\n<td width=\"132\">Win64\/Agent.CXZ<br \/>Win64\/SprySOCKS.A<br \/>BAT\/Runner.KS<\/td>\n<td width=\"227\">ZIP archive from VirusTotal containing the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant of SprySOCKS, along with all the backdoor&#8217;s components; clean binaries used for side-loading are included.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">621D1952839BE4B0A1B0<wbr\/>E66E87BCE5062CA368ED<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span><\/td>\n<td width=\"132\">Win64\/Agent.CXZ<\/td>\n<td width=\"227\">SprySOCKS loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">2457EED2AB28E37741F1<wbr\/>0914EF929DAD2C8079D4<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">VSPMsg.dll<\/span><\/td>\n<td width=\"132\">Win64\/Agent.CXZ<\/td>\n<td width=\"227\">First-stage loader responsible for launching the SprySOCKS loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">D2C706B1EAF662BF0CE1<wbr\/>24B5032F73ED84BDA24A<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\"><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant of the SprySOCKS backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">5F3B87CEF56683D9A9E1<wbr\/>9186E0FD0D8019B559C4<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"132\">Win64\/Agent.CXZ<\/td>\n<td width=\"227\">SprySOCKS loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">C793CA31E3F6628B5C89<wbr\/>86146953BF66232E9A30<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">config.dat<\/span><\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\">Encrypted container of the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant of the SprySOCKS backdoor and its loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">037DB2445F3D72388CB2<wbr\/>CF8510563148E5A184BE<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"132\">BAT\/Runner.KS<\/td>\n<td width=\"227\">Batch script that persists the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant of SprySOCKS.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"141\"><strong>IP<\/strong><\/td>\n<td width=\"76\"><strong>Domain<\/strong><\/td>\n<td width=\"132\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"76\"><strong>First\u00a0seen<\/strong><\/td>\n<td width=\"218\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"141\"><span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36<\/span><\/td>\n<td width=\"76\">N\/A<\/td>\n<td width=\"132\">IRT\u2011CHOOPALLC\u2011AP<\/td>\n<td width=\"76\">N\/A<\/td>\n<td width=\"218\">C&amp;C IP hardcoded in the SprySOCKS backdoor (<span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 19<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/p>\n<table style=\"height: 2226px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px; width: 107px;\" width=\"113\"><strong>Tactic<\/strong><\/td>\n<td style=\"height: 18px; width: 70px;\" width=\"113\"><strong>ID<\/strong><\/td>\n<td style=\"height: 18px; width: 148px;\" width=\"151\"><strong>Name<\/strong><\/td>\n<td style=\"height: 18px; width: 302px;\" width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 90px;\">\n<td style=\"height: 162px; width: 107px;\" rowspan=\"2\" width=\"113\"><strong>Reconnaissance<\/strong><\/td>\n<td style=\"height: 90px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1592\/004\">T1592.004<\/a><\/td>\n<td style=\"height: 90px; width: 148px;\" width=\"151\">Gather Victim Host Information: Client Configurations<\/td>\n<td style=\"height: 90px; width: 302px;\" width=\"265\">SprySOCKS can collect information about the compromised device, including: computer name, OS version, information about memory and CPU, current privileges, system language and version, current time, and more.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1590\/005\">T1590.005<\/a><\/td>\n<td style=\"height: 72px; width: 148px;\" width=\"151\">Gather Victim Network Information: IP Addresses<\/td>\n<td style=\"height: 72px; width: 302px;\" width=\"265\">SprySOCKS can collect information about the compromised device, including information about network interfaces and assigned IP addresses.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 107px;\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1587\/001\">T1587.001<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Develop Capabilities: Malware<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">FishMonger has developed custom malware for its operations, including the SprySOCKS backdoor.<\/td>\n<\/tr>\n<tr style=\"height: 73px;\">\n<td style=\"height: 181px; width: 107px;\" rowspan=\"4\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td style=\"height: 73px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1059\/003\">T1059.003<\/a><\/td>\n<td style=\"height: 73px; width: 148px;\" width=\"151\">Command and Scripting Interpreter: Windows Command Shell<\/td>\n<td style=\"height: 73px; width: 302px;\" width=\"265\">SprySOCKS can launch an interactive <span style=\"font-family: courier new, courier, monospace;\">cmd.exe<\/span> command shell, which allows the attackers to execute commands remotely on the compromised machine.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1053\/005\">T1053.005<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Scheduled Task\/Job: Scheduled Task<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS uses a scheduled task to execute its loader on system start.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1569\/002\">T1569.002<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">System Services: Service Execution<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS abuses system services for both one-time and persistent execution.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1106\">T1106<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Native API<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">FishMonger has used Windows APIs to execute code within a victim\u2019s system.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 107px;\" width=\"113\"><strong>Persistence<\/strong><\/td>\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1547\/012\">T1547.012<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Boot or Logon Autostart Execution: Print Processors<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">To achieve persistence, FishMonger installs its malicious loader as a print processor.<\/td>\n<\/tr>\n<tr style=\"height: 112px;\">\n<td style=\"height: 112px; width: 107px;\" width=\"113\"><strong>Privilege Escalation<\/strong><\/td>\n<td style=\"height: 112px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1546\/012\">T1546.012<\/a><\/td>\n<td style=\"height: 112px; width: 148px;\" width=\"151\">Event Triggered Execution: Image File Execution Options Injection<\/td>\n<td style=\"height: 112px; width: 302px;\" width=\"265\">SprySOCKS can install itself as a debugger for the Virtual Disk Service by modifying <span style=\"font-family: courier new, courier, monospace;\">HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vds.exe\\debugger<\/span>.<\/td>\n<\/tr>\n<tr style=\"height: 90px;\">\n<td style=\"height: 687px; width: 107px;\" rowspan=\"12\" width=\"113\"><strong>Stealth<\/strong><\/td>\n<td style=\"height: 90px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1205\/002\">T1205.002<\/a><\/td>\n<td style=\"height: 90px; width: 148px;\" width=\"151\">Traffic Signaling: Socket Filters<\/td>\n<td style=\"height: 90px; width: 302px;\" width=\"265\">SprySOCKS uses the RawWNPF kernel driver to install packet filters capable of redirecting any inbound TCP traffic to the configured local port if a special magic value is detected in the packet.<\/td>\n<\/tr>\n<tr style=\"height: 55px;\">\n<td style=\"height: 55px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1134\/002\">T1134.002<\/a><\/td>\n<td style=\"height: 55px; width: 148px;\" width=\"151\">Access Token Manipulation: Create Process with Token<\/td>\n<td style=\"height: 55px; width: 302px;\" width=\"265\">FishMonger uses <span style=\"font-family: courier new, courier, monospace;\">CreateProcessAsUser<\/span> to execute a new process with a token obtained from the print spooler service.<\/td>\n<\/tr>\n<tr style=\"height: 55px;\">\n<td style=\"height: 55px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1622\">T1622<\/a><\/td>\n<td style=\"height: 55px; width: 148px;\" width=\"151\">Debugger Evasion<\/td>\n<td style=\"height: 55px; width: 302px;\" width=\"265\">SprySOCK\u2019s RawWNPF driver uses the <span style=\"font-family: courier new, courier, monospace;\">KdDisableDebugger<\/span> function to disable the kernel debugger, if active.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1140\">T1140<\/a><\/td>\n<td style=\"height: 72px; width: 148px;\" width=\"151\">Deobfuscate\/Decode Files or Information<\/td>\n<td style=\"height: 72px; width: 302px;\" width=\"265\">SprySOCKS loader decrypts the SprySOCKS backdoor from an encrypted file. Additionally, most of the strings in the SprySOCKS components are encrypted.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1070\/004\">T1070.004<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Indicator Removal: File Deletion<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">The SprySOCKS loader removes original files from the deployment directory after copying them and setting up persistence.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1070\/009\">T1070.009<\/a><\/td>\n<td style=\"height: 72px; width: 148px;\" width=\"151\">Indicator Removal: Clear Persistence<\/td>\n<td style=\"height: 72px; width: 302px;\" width=\"265\">SprySOCKS loader removes a service registry value associated with the previously installed malicious minifilter driver after executing the driver.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1027\/007\">T1027.007<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Obfuscated Files or Information: Dynamic API Resolution<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS components use dynamic API resolution.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1027\/013\">T1027.013<\/a><\/td>\n<td style=\"height: 72px; width: 148px;\" width=\"151\">Obfuscated Files or Information: Encrypted\/Encoded File<\/td>\n<td style=\"height: 72px; width: 302px;\" width=\"265\">SprySOCKS components are stored in an AES-encrypted file on the victim\u2019s drive.<\/td>\n<\/tr>\n<tr style=\"height: 55px;\">\n<td style=\"height: 55px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1055\/013\">T1055.013<\/a><\/td>\n<td style=\"height: 55px; width: 148px;\" width=\"151\">Process Injection: Process Doppelg\u00e4nging<\/td>\n<td style=\"height: 55px; width: 302px;\" width=\"265\">The SprySOCKS loader uses process doppelg\u00e4nging to inject the backdoor into the <span style=\"font-family: courier new, courier, monospace;\">svchost.exe<\/span> process.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1014\">T1014<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Rootkit<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">FishMonger uses the RawWNPF kernel driver, which serves as a rootkit responsible for hiding the SprySOCKS malicious activity.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1497\">T1497<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Virtualization\/Sandbox Evasion<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS uses several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1574\/002\">T1574.002<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"113\">Hijack Execution Flow: DLL Side-Loading<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"151\">FishMonger uses DLL side-loading to execute the SprySOCKS backdoor.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 107px;\" width=\"113\"><strong>Defense Impairment<\/strong><\/td>\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1562\/004\">T1562.004<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Disable or Modify System Firewall<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS adds a firewall rule allowing any inbound traffic sent to the backdoor\u2019s listening port.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 435px; width: 107px;\" rowspan=\"7\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1010\">T1010<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Application Window Discovery<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS retrieves the active foreground window name as a part of its keylogging functionality.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1083\">T1083<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">File and Directory Discovery<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS can obtain file and directory listings from the compromised system.<\/td>\n<\/tr>\n<tr style=\"height: 111px;\">\n<td style=\"height: 111px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1518\/001\">T1518.001<\/a><\/td>\n<td style=\"height: 111px; width: 148px;\" width=\"151\">Software Discovery: Security Software Discovery<\/td>\n<td style=\"height: 111px; width: 302px;\" width=\"265\">SprySOCKS components check for the presence of security and sandboxing product libraries (<span style=\"font-family: courier new, courier, monospace;\">snxhk.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SxWrapper.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SxIn.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SXIn64.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SbieDll.dll<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">cmdvrt32.dll<\/span>) in their own processes.<\/td>\n<\/tr>\n<tr style=\"height: 90px;\">\n<td style=\"height: 90px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1082\">T1082<\/a><\/td>\n<td style=\"height: 90px; width: 148px;\" width=\"151\">System Information Discovery<\/td>\n<td style=\"height: 90px; width: 302px;\" width=\"265\">SprySOCKS can collect information about the compromised device, including: computer name, OS version, information about memory and CPU, current privileges, system language and version, current time, and more.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1614\/001\">T1614.001<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">System Location Discovery: System Language Discovery<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS can collect information about the compromised device, including system language.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1007\">T1007<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">System Service Discovery<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS can enumerate all services on the system.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1124\">T1124<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">System Time Discovery<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS can collect information about the compromised device, including current system time.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 90px; width: 107px;\" rowspan=\"2\" width=\"113\"><strong>Collection<\/strong><\/td>\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1056\/001\">T1056.001<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Input Capture: Keylogging<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS implements a keylogger.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1115\">T1115<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Clipboard Data<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS logs clipboard data, along with the captured keystrokes, as a part of its keylogging functionality.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 289px; width: 107px;\" rowspan=\"6\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1132\/001\">T1132.001<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Data Encoding: Standard Encoding<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS uses base64 encoding in its custom C&amp;C communication protocol.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1573\/001\">T1573.001<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Encrypted Channel: Symmetric Cryptography<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS encrypts data sent to, and decrypts data received from, the C&amp;C with 128-bit AES.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1008\">T1008<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Fallback Channels<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">In addition to the TCP communication channel, SprySOCKS can contact its C&amp;C using UDP and WebSocket channels.<\/td>\n<\/tr>\n<tr style=\"height: 73px;\">\n<td style=\"height: 73px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1665\">T1665<\/a><\/td>\n<td style=\"height: 73px; width: 148px;\" width=\"151\">Hide Infrastructure<\/td>\n<td style=\"height: 73px; width: 302px;\" width=\"265\">SprySOCKS\u2019s RawWNPF driver hides the backdoor\u2019s active connections from being enumerated when using network tools such as <span style=\"font-family: courier new, courier, monospace;\">netstat.exe<\/span>.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1571\">T1571<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Non-Standard Port<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS uses nonstandard ports to communicate with the C&amp;C.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1095\">T1095<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Non-Application Layer Protocol<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS uses nonstandard protocols to communicate with the C&amp;C.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 107px;\" width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1041\">T1041<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS can upload various files from the compromised system to the C&amp;C.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=fishmongers-arsenal-upgraded-sprysocks-windows&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers have discovered two as-yet undocumented Windows variants of SprySOCKS, a previously Linux-only backdoor reportedly used by<\/p>\n","protected":false},"author":1,"featured_media":381,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-380","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=380"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/380\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/381"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}