New “SockDetour” Fileless, Socketless Backdoor Targets U.S. Defense Contractors

Cybersecurity researchers have taken the wraps off a previously undocumented and stealthy custom malware called SockDetour that targeted U.S.-based defense contractors with the goal of being used as a secondary implant on compromised Windows hosts.

“SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,” Palo Alto Networks’ Unit 42 threat intelligence said in a report published Thursday. “It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.”

Even more concerningly, SockDetour is believed to have been used in attacks since at least July 2019, based on a compilation timestamp on the sample, implying that the backdoor successfully managed to slip past detection for over two-and-a-half years.

The attacks have been attributed to a threat cluster it tracks as TiltedTemple (aka DEV-0322 by Microsoft), which is designated moniker for a hacking group operating out of China and was instrumental in exploiting zero-day flaws in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus deployments as a launchpad for malware attacks last year.

The ties to TiltedTemple come from overlaps in the attack infrastructure, with one of the command-and-control (C2) servers that was used to facilitate the distribution of malware for the late 2021 campaigns also hosting the SockDetour backdoor, alongside a memory dumping utility and numerous web shells for remote access. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *