Security researchers discover two previously unknown versions of sophisticated malware
A Chinese cyber-espionage group has significantly refined its digital tools for attacking government agencies. Researchers at IT security firm ESET have discovered two previously unknown Windows versions of a backdoor called SprySOCKS, which was previously only known to exist on Linux systems. According to the researchers, the group behind the attacks is FishMonger, which is believed to be operated by a Chinese contractor named I-SOON. Ironically, this is the very service provider whose internal documents were made public in early 2024 following a sensational data leak, offering a rare insight into the operations of state-sponsored hackers.
According to ESET, several government organisations were affected between 2023 and 2024. The focus was on authorities in Honduras, Taiwan, Thailand and Pakistan.
A backdoor that makes itself virtually invisible
The new Windows variant of the malware supports over 30 commands and can read system information, monitor running processes, and create, delete and exfiltrate files unnoticed.
The real highlight – namely its remarkable camouflage – is provided by a specially injected system driver: it hides the backdoor’s network connections, processes, files and registry entries from the system. The attackers can also send their commands to the backdoor via any seemingly harmless communication channel. Only when an incoming data packet contains a secret identifier does the driver forward it to the hidden backdoor. This keeps the actual access invisible to common protection mechanisms.
“At its core, the Windows version works exactly like its Linux predecessor: However, the attackers have specifically adapted it to the Windows system and, above all, camouflaged it much more effectively,” explains ESET researcher Martin Smolár, who discovered and analysed FishMongers’ new arsenal. “The fact that there are even indications of manipulation of the system boot process is a warning sign. We advise everyone to keep a very close eye on the group’s activities.”
In fact, the researchers found initial, albeit still tentatively assessed, signs that individual attacks might be using a so-called UEFI bootkit. In this scenario, malicious code embeds itself before the actual operating system loads, thereby surviving even a complete reinstallation. The attackers may have exploited a known vulnerability (CVE-2023-24932) to achieve this.
Who is behind FishMonger?
FishMonger is a cyber-espionage group believed to be part of the larger Winnti group and is highly likely to be operating out of the Chinese city of Chengdu. In the security industry, it also appears under other names, including Earth Lusca, TAG-22, Aquatic Panda and Red Dev 10. ESET published an initial analysis of the group back in early 2020. At that time, during the wave of protests beginning in June 2019, it launched massive attacks on universities in Hong Kong. FishMonger is also known for so-called watering-hole attacks, in which frequently visited websites are manipulated to infect their visitors. The group’s toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS and the BIOPASS RAT.
