SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection
FishMonger deploys Windows backdoor SprySOCKS using kernel drivers for stealth. Tool discovered by ESET; active against Honduras, Taiwan, Thailand, Pakistan governments. WIN_DRV variant uses two encrypted kernel drivers to hide processes from system calls. DriverLoader signed with exposed certificate from open-source project on GitHub.
Analysis
TL;DR
- FishMonger deploys Windows backdoor SprySOCKS using kernel drivers for stealth.
- Tool discovered by ESET; active against Honduras, Taiwan, Thailand, Pakistan governments.
- WIN_DRV variant uses two encrypted kernel drivers to hide processes from system calls.
- DriverLoader signed with exposed certificate from open-source project on GitHub.
Key Data
| Entity | Key Info | Data/Metrics |
|---|---|---|
| FishMonger | Threat group, linked to i-Soon/PRC | Also known as Earth Lusca, Aquatic Panda |
| SprySOCKS | Backdoor tool (Windows variant) | Originally a Linux backdoor (2023) |
| WIN_DRV | Advanced variant using kernel drivers | Uses two encrypted drivers: fsdiskbit.sys (DriverLoader) & RawWNPF |
| DriverLoader | First kernel driver | Signed with exposed certificate from PastDSE project on GitHub |
| RawWNPF | Second kernel driver | Hides processes by hooking NtQuerySystemInformation system call |
| Primary Targets | Government organizations | Deployed in 2023-2024 in Honduras, Taiwan, Thailand, Pakistan |
Deep Analysis
The revelation of SprySOCKS for Windows isn't just another malware variant; it’s a clear escalation in the operational tradecraft of state-linked threat actors. The move from Linux to a Windows kernel driver-based architecture tells us two things. First, the group is methodically expanding its target profile, shifting from servers to the desktop environments where government officials and administrators actually work. Second, the technical sophistication is increasing—dropping into the kernel isn’t a trivial step, and it signals a commitment to long-term, persistent access.
The real story here is the abuse of kernel drivers. This represents a fundamental shift in the evasion arms race. Endpoint detection and response (EDR) tools, and even the most vigilant system administrators, operate with a crucial assumption: the operating system itself is telling the truth. A malicious kernel driver shatters that assumption. By hooking low-level functions like NtQuerySystemInformation, the malware makes itself a ghost, actively lying to the tools designed to find it. We’re moving beyond malware that tries to hide from the OS to malware that co-opts the OS to hide. This forces defenders into a much harder game of verifying integrity at a level most never touch.
The detail about the exposed code-signing certificate from an open-source project is the most frustrating part. It’s a stark reminder that the security of the entire chain depends on the weakest link, which is often careless human error or poor secrets management. That this certificate was likely used to load drivers on "outdated or misconfigured systems" isn’t a surprise; it’s a feature. State actors are pragmatic. They aren’t building for zero-days on patched systems if a stolen key to the front door will do. This isn’t just an espionage tool; it’s a commentary on the systemic neglect of certificate hygiene and driver signing enforcement.
The geopolitical targeting pattern—Honduras, Taiwan, Thailand, Pakistan—paints a classic picture of intelligence priorities. These are nations where PRC interests (diplomatic, economic, or strategic) intersect with potential friction. This isn’t random; it’s collection. The 2023-2024 deployment window, coupled with the VirusTotal discovery, suggests the tool was in a testing and initial deployment phase before being formally cataloged. By the time researchers publish a report, the operation has likely evolved or the access has already been leveraged.
Ultimately, FishMonger’s new toolset underscores that the definition of "advanced" in APT is changing. It’s not just about novel exploits anymore. It’s about deep, patient integration with the target’s own infrastructure and the blurring of the line between legitimate system components and malicious code. The bar for detection is being systematically raised, and most enterprise security stacks are not prepared to audit their own kernel’s truthfulness.
Industry Insights
- Driver security will become a critical audit point. Expect more focus on driver signing policies, allow-listing, and integrity checks for kernel-mode components.
- Regional threat intelligence sharing for APAC governments will intensify. Common targeting of Honduras, Taiwan, Thailand, and Pakistan will drive more collaborative defensive frameworks.
- The "living off the land" tactic will evolve to the kernel level. Adversaries will increasingly weaponize OS kernels and signed drivers, moving beyond user-mode fileless techniques.
FAQ
Q: What makes the WIN_DRV variant of SprySOCKS different from previous versions?
A: It uses two encrypted kernel drivers to hide its processes and files directly from the operating system, making it undetectable by most standard security tools.
Q: Why is the use of kernel drivers considered so dangerous?
A: Kernel drivers operate at the most privileged level of the OS, allowing them to intercept and modify system calls, effectively making malware invisible to security software and administrators.
Q: How was the malware able to load despite being malicious?
A: Its loader was signed with a legitimate, though likely stolen or misused, code-signing certificate that was exposed in a public GitHub repository, allowing it to bypass some system security checks.
Disclaimer: The above content is generated by AI and is for reference only.