SOC Prime Bias: Critical

18 Jun 2026 14:32 UTC
newspaper icon welivesecurity.com

ESET Research FishMonger’s arsenal upgraded: SprySOCKS for Windows

Author Photo
SOC Prime Team linkedin icon Follow
ESET Research FishMonger’s arsenal upgraded: SprySOCKS for Windows
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

ESET researchers uncovered two new Windows variants of the SprySOCKS backdoor, named WIN_DRV and WIN_PLUS, that are linked to the FishMonger threat group. The WIN_DRV version uses a kernel driver to achieve enhanced stealth, including the ability to conceal network connections, processes, and files. Both variants support several communication protocols and provide a broad set of commands for system control and data theft.

Investigation

The investigation drew on malware samples discovered through VirusTotal and ESET telemetry, revealing activity spanning 2023 to 2024. Researchers analyzed the full execution chains, including DLL sideloading, kernel driver loading through DriverLoader and RawWNPF, and process injection using doppelgänging techniques. The study also uncovered command-and-control communication patterns and hardcoded encryption keys shared across multiple components.

Mitigation

Organizations should prioritize patching internet-facing applications to reduce the risk of initial compromise through N-day vulnerabilities. Strong driver signature enforcement and monitoring for unauthorized kernel driver installation are essential. Defenders should also monitor for suspicious scheduled tasks, registry changes under Image File Execution Options, and unusual print processor registrations.

Response

If these threats are detected, affected systems should be isolated immediately to stop further lateral movement or data theft. Investigators should perform a detailed forensic review to determine the original intrusion vector and the full scope of compromise, with special attention to kernel-level persistence. Network logs should also be checked for communication with known command-and-control infrastructure, while system changes such as new services or altered registry keys should be audited.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef defense fill:#ffcc99 %% Initial Access action_exploit["<b>Action</b> – <b class='action'>T1190 Exploit Public-Facing Application</b><br/>Description: Leveraging N-day vulnerabilities on public-facing servers for initial access."] class action_exploit action %% Branching for Variants op_variant(("AND")) class op_variant tool %% WIN_DRV Variant Path action_win_drv_persist["<b>Action</b> – <b class='action'>T1546.012 Event Triggered Execution: IFEO</b><br/>Description: Registering a malicious debugger for vds.exe<br/>Tool: klelam00007.bat script"] class action_win_drv_persist action action_win_drv_dll["<b>Action</b> – <b class='action'>T1574.001 Hijack Execution Flow: DLL</b><br/>Description: DLL side-loading using legitimate signed executable<br/>Tool: ApphostRegistrationVerifier.exe loads tpsvcloc.dll"] class action_win_drv_dll action malware_loader["<b/>Malware: Loader<br/>Description: Uses Process Doppelgu00e4nging for injection"] class malware_loader malware action_reflective["<b/>Action</b> – <b class='action'>T1620 Reflective Code Loading</b><br/>Description: Injecting SprySOCKS backdoor shellcode via process doppelgu00e4nging"] class action_reflective action process_svchost["<b/>Process</b>: svchost.exe<br/>Description: Target process for shellcode injection"] class process_svchost process malware_sprysocks["<b/>Malware</b>: SprySOCKS Backdoor<br/>Description: Maintains C2 and performs collection"] class malware_sprysocks malware tool_driver_loader["<b/>Tool</b>: DriverLoader<br/>Description: Deploys kernel-level driver"] class tool_driver_loader tool malware_rootkit["<b/>Malware</b>: RawWNPF Kernel Driver<br/>Description: Functions as a Rootkit (T1014) to hide processes, files, and registry keys"] class malware_rootkit malware action_port_knocking["<b/>Action</b> – <b class='action'>T1205.001 Traffic Signaling: Port Knocking</b><br/>Description: Diverting specially crafted TCP traffic via Windows Filtering Platform"] class action_port_knocking action %% WIN_PLUS Variant Path action_win_plus_persist["<b/>Action</b> – <b class='action'>T1547.012 Boot or Logon Autostart Execution: Print Processors</b><br/>Description: Installing VSPMsg.dll as a print processor for persistence"] class action_win_plus_persist action %% Post Exploitation and Collection action_keylogging["<b/>Action</b> – <b class='action'>T1056.001 Input Capture: Keylogging</b><br/>Description: Capturing keystrokes, clipboard data, and window titles"] class action_keylogging action action_c2["<b/>Action</b> – <b class='action'>T1132.001 Command and Control: Protocol</b><br/>Description: Communication via TCP, UDP, and WebSocket using AES-128 encryption"] class action_c2 action action_defense_impair["<b/>Action</b> – <b class='action'>T1562.004 Defense Impairment: Disable or Modify Tools</b><br/>Description: Modifying Windows Firewall rules via netsh.exe to allow traffic"] class action_defense_impair action %% Connections action_exploit –>|leads_to| op_variant %% WIN_DRV Flow op_variant –>|variant_path| action_win_drv_persist action_win_drv_persist –>|leads_to| action_win_drv_dll action_win_drv_dll –>|loads| malware_loader malware_loader –>|performs| action_reflective action_reflective –>|injects_into| process_svchost process_svchost –>|runs| malware_sprysocks malware_sprysocks –>|deploys| tool_driver_loader tool_driver_loader –>|maps| malware_rootkit malware_rootkit –>|facilitates| action_port_knocking %% WIN_PLUS Flow op_variant –>|variant_path| action_win_plus_persist action_win_plus_persist –>|uses| action_reflective %% Common Post Exploitation malware_sprysocks –>|performs| action_keylogging malware_sprysocks –>|communicates_via| action_c2 malware_sprysocks –>|executes| action_defense_impair %% Logic Connections action_defense_impair –>|enables| action_c2 "

Attack Flow

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has successfully deployed the SprySOCKS backdoor on a compromised Windows host. To establish a command-and-control channel, the malware opens a listening socket on port 53781. To ensure the communication is recognized by their custom C2 server, the malware injects the magic hex value 0xACACBCBC into the initial handshake packets. This mimics the specific protocol behavior of the FishMonger group to facilitate reliable communication through intercepted or diverted traffic.

  • Regression Test Script:

    # Simulation Script: SprySOCKS Network Artifact Generation
# This script mimics the network behavior of the SprySOCKS backdoor.

$TargetPort = 53781
$MagicValue = [byte[]] @(0xAC, 0xAC, 0xBC, 0xBC)
$Listener = [System.Net.Sockets.TcpListener]$TargetPort

try {
    Write-Host "[+] Starting listener on port $TargetPort..." -ForegroundColor Cyan
    $Listener.Start()
    $Client = $Listener.AcceptTcpClient()
    $Stream = $Client.GetStream()

    Write-Host "[+] Connection established. Sending magic value $MagicValue..." -ForegroundColor Yellow
    # Injecting the magic value into the stream to trigger 'selection1' logic
    $Stream.Write($MagicValue, 0, $MagicValue.Length)

    Start-Sleep -Seconds 5
}
catch {
    Write-Error "[-] Simulation failed: $($_.Exception.Message)"
}
finally {
    Write-Host "[+] Cleaning up connections..." -ForegroundColor Cyan
    $Stream.Close()
    $Client.Close()
    $Listener.Stop()
}

  • Cleanup Commands:

    # Ensure no rogue listeners remain active
Get-NetTCPConnection -LocalPort 53781 -ErrorAction SilentlyContinue | Remove-NetTCPConnection
Write-Host "[+] Cleanup complete." -ForegroundColor Green

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free