ESET Research#ESETresearch discovered two as-yet undocumented Windows variants of #SprySOCKS, a previously Linux-only backdoor reportedly used by #FishMonger. We attribute the new Windows variants to #FishMonger with high confidence. https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/
Both newly discovered Windows variants, named WIN_PLUS and WIN_DRV by their authors, support communication over TCP, UDP, and WebSocket protocols, while WIN_DRV weaponizes a kernel driver for enhanced stealth.
The WIN_DRV variant creates a stealthy passive TCP backdoor and uses a kernel driver to redirect traffic to the backdoor’s hidden TCP port whenever specially crafted data is detected inside a received TCP packet.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/SprySOCKS
Read the full analysis on WeLiveSecurity: https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/
Both newly discovered Windows variants, named WIN_PLUS and WIN_DRV by their authors, support communication over TCP, UDP, and WebSocket protocols, while WIN_DRV weaponizes a kernel driver for enhanced stealth.
The WIN_DRV variant creates a stealthy passive TCP backdoor and uses a kernel driver to redirect traffic to the backdoor’s hidden TCP port whenever specially crafted data is detected inside a received TCP packet.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/SprySOCKS
Read the full analysis on WeLiveSecurity: https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/
