Essential Insights
- FishMonger, linked to a Chinese tech company, expanded its toolkit with a stealthy Windows backdoor using kernel drivers to evade detection.
- The new Windows variant of SprySOCKS employs encrypted kernel drivers ("DriverLoader" and "RawWNPF") to hide malicious activity and manipulate system calls.
- The malware leverages legitimate drivers, signed with exposed certificates, to load malicious components, complicating detection and response.
- While initial infection methods remain unclear, awareness of indicators and enabling advanced security features like HVCI is recommended for protection.
SprySOCKS Windows Variant Evades Detection Using Kernel Drivers
Recent security findings reveal that FishMonger, a known threat group linked to China, has expanded its hacking tools. They now use a new version of SprySOCKS on Windows systems. Originally, SprySOCKS was a Linux backdoor discovered in 2023. It has since been adapted for Windows, targeting government organizations in countries like Honduras, Taiwan, Thailand, and Pakistan. This adaptation makes it harder for security teams to spot the malware. That’s because the new version uses special kernel drivers. These drivers operate deep within the Windows system. They can hide malicious activity from security programs and system monitors.
How Kernel Drivers Help SprySOCKS Stay Hidden and Malicious
The new version of SprySOCKS uses two encrypted kernel drivers. One driver, called “DriverLoader,” loads the second, named “RawWNPF,” directly into the target’s memory. This second driver can hide processes, files, and activities. For example, it tricks Windows into not showing malicious processes running in the background. These drivers have privileged access to the system, which makes them powerful at hiding malware. They can even kill security processes or interfere with system calls to keep the backdoor hidden. The drivers themselves come from legitimate sources but are exploited by hackers. In this case, the “DriverLoader” is signed with a digital certificate exposed on GitHub, making it easier for hackers to use on vulnerable systems. Security experts warn that abusing such drivers complicates detection. Still, they emphasize that all malicious drivers should be targeted and stopped. The way FishMonger initially gets into victims’ networks remains unclear. However, past attacks suggest they may exploit unpatched vulnerabilities on public servers. ESET’s analysis also hints at possible use of UEFI bootkits, which can bypass traditional security measures. Despite the complexity, the spread of this malware highlights the ongoing risks posed by advanced malicious tools and the importance of strong cybersecurity practices.
Continue Your Tech Journey
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Stay inspired by the vast knowledge available on Wikipedia.
CyberRisk-V1
