Fileless SockDetour backdoor targets U.S.-based defense contractors

Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors.

Cybersecurity researchers from Palo Alto Networks’ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors.

According to the experts, the SockDetour backdoor has been in the wild since at least July 2019.

Unit 42 attributes the malware to an APT campaign codenamed TiltedTemple (aka DEV-0322), threat actors also exploited the Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) and ServiceDesk Plus vulnerability (CVE-2021-44077). The attackers successfully compromised more than a dozen organizations across multiple industries, including technology, energy, healthcare, education, finance and defense.

SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. The analysis of one of the command and control (C2) servers used by TiltedTemple operators revealed the presence of other miscellaneous tools, including memory dumping tool and several webshells.

“SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,” reads the analsysi published by Palo Alto Networks. “It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.”

Once SockDetour is injected into the process’s memory, it hijacks legitimate processes’ network sockets to establish an encrypted C2 channel, then it loads an unidentified plugin DLL file retrieved from the server.

According to Microsoft DEV-0322 is an APT group based in China, which employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation in July 2021.

At least four defense contractors were targeted by the threat actor, and one of them was compromised.

SockDetour was delivered from an external FTP server, a compromised QNAP to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021. The researchers speculate the QNAP NAS server was previously infected with QLocker ransomware.

“While it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely been in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour samples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]