Discover the SockDetour Fileless Backdoor Targeting US Defense Contractors

Researchers suspect that the SockDetour backdoor is being used in attacks by an APT (Advanced Persistent Threat) group known as TiltedTemple.

Palo Alto Network Unit 42 researchers have discovered a tool that could be used as a backup backdoor if the main backdoor is taken down by Defenders. Its main function is to maintain access to infected networks. This custom malware, dubbed SockDetour, launched targeted attacks against US defense contractors.

SockDetour used since 2019

According to the Unit 42 research team, operators of the SockDetour payload have kept it under the radar for more than three years since it was first used in the wild in 2019. The stealth of the malware is deadly and can run without a socket and without a file on compromised windows servers after hijacking network connections, making it difficult to detect at the network and host level. It is compiled in 64-bit PE file format.

SockDetour Abilities

The malware allows attackers to stealthily stay on compromised Windows servers. This is achieved by loading legitimate fileless service processes and using genuine network sockets of the processes to establish its encrypted C2 channel.

At least 4 US defense contractors targeted

Researchers first observed that the malware was deployed on the Windows servers of at least one defense contractor in the United States. The attack was detected on July 27, 2021. This incident led to the identification of three other defense contractors targeted by the same entity and backdoor.

Based on Unit 42 telemetry data and analysis of samples collected, we believe the threat actor behind SockDetour has been focused on targeting US-based defense contractors. United using the tools. Unit 42 has evidence that at least four defense contractors are targeted by this campaign, with at least one contractor compromised.

Palo Alto Network Unit 42

How are Windows servers hacked?

According to Unit 42 blog post, connection hijacking is performed using a genuine Microsoft Detours library package. This package is used for instrumentation and monitoring of Windows API calls.

In one of the attacks, the researchers noted that the attackers also used a specific delivery server identified as a storage device or NAS attacked by the QNAP network. Generally, small businesses use this device or those infected with QLockerComment ransomware before. Researchers believe threat actors exploited a remote code execution bug tracked as CVE-2021-28799 to access the server.

SockDetour workflow (Image: Unit 42)

More Fileless Malware News

  1. Fileless WannaMine cryptojacking malware using NSA exploit
  2. Thousands of Windows PCs Infected with Nodersok Fileless Malware
  3. Rise of Fileless Malware: Telecoms, Banks and Government Organizations Under Attack
  4. Fileless Cryptocurrency Miner Hits Windows Using EternalBlue Flaw
  5. Gootloader Fileless Malware Exploits Websites to Spread Ransomware

Possible author

Unit 42 researchers suspect that the SockDetour backdoor is being used in attacks by an APT (Advanced Persistent Threat) group called TiltedTemple. The group made headlines by exploiting vulnerabilities in Zoho products such as ServiceDesk Plus (CVE-2021-44077) and ManageEngine ADSelfService Plus (CVE-2021-40539).

This suspicion is based on tools and tactics that match previous malicious activity by APT27, where the group primarily targeted the defense, aerospace, technology, manufacturing, government, and security sectors. energy in espionage campaigns.

Comments are closed.