China‑Linked FishMonger Deploys SprySOCKS Windows Variants with Kernel‑Level Stealth and UEFI Bootkit Hints
What Happened — Researchers at ESET uncovered two previously undocumented Windows variants of the SprySOCKS backdoor, now used by the China‑linked APT group FishMonger (Winnti). The variants, WIN_DRV and WIN_PLUS, employ a custom kernel driver, DLL side‑loading, scheduled tasks, and the Print Spooler service to gain persistent, stealthy access on government systems in four countries. The code also contains hints of a UEFI‑level bootkit, suggesting a long‑term foothold beyond the operating system.
Why It Matters for Compliance & Audit Readiness
- Demonstrates how gaps in privileged‑execution controls (e.g., unsanitized driver loading, Print Spooler misuse) can bypass traditional user‑level monitoring – a scenario SOC 2 CC6.1 (System Operations) and CC7.1 (Change Management) are designed to detect and evidence.
- Highlights the need for continuous evidence collection on low‑level system changes; Verisq’s Control Mapping capability can automatically capture driver‑install events and correlate them with audit controls.
- Shows that a single undetected kernel component can invalidate the effectiveness of documented security policies, underscoring the importance of verifiable, real‑time control enforcement.
Who Is Affected – Government agencies and critical‑infrastructure entities in the four targeted nations; any organization that runs unpatched Windows endpoints with the Print Spooler service enabled.
Recommended Actions
- Map the kernel‑driver loading and Print Spooler usage to SOC 2 controls (CC6.1, CC7.1) and ensure evidence is collected continuously.
- Enforce strict least‑privilege policies for driver installation and disable unnecessary services (e.g., Print Spooler) where feasible.
- Deploy endpoint detection that monitors kernel‑mode activity and scheduled‑task creation, and integrate logs into a centralized audit trail. Source: Security Affairs
Technical Notes – The attack chain begins with an unknown initial access vector, drops a batch script, creates a scheduled task, and uses DLL side‑loading to install two kernel drivers (RawWNPF and DriverLoader). The backdoor communicates over TCP, UDP, and WebSocket, with traffic diversion that hides the listening port. No specific CVE is cited, but the technique mirrors Print Spooler abuse (e.g., CVE‑2021‑34527). Source: [Security Affairs]