Meet SockDetour fileless backdoor targeting U.S. Defense contractors

Meet SockDetour fileless backdoor targeting U.S. Defense contractors

Researchers suspect that the SockDetour backdoor is used in attacks carried out by an APT (advanced persistent threat) group known as TiltedTemple.

Palo Alto Network’s Unit 42 researchers discovered a tool that could be used as a backup backdoor if the primary backdoor gets deleted by defenders. Its principal function is to maintain access to infected networks. This custom malware, dubbed SockDetour, launched targeted attacks on US defense contractors.

SockDetour in Use Since 2019

According to Unit 42’s research team, SockDetour payload’s operators kept it under the radar for over three years as it was used for the first time in the wild in 2019. The malware’s stealthiness is lethal and can operate socketlessly and filelessly on compromised Windows servers after hijacking network connections, making it difficult to detect it at the network and host levels. It is compiled in 64-bit PE file format.

SockDetour Capabilities

The malware lets attackers stay on compromised Windows servers stealthily. This is achieved by loading in legit service processes filelessly and utilizing authentic network sockets of the processes to establish its encrypted C2 channel.

At Least 4 US Defense Contractors Targeted

Researchers initially observed that the malware was deployed onto the Windows servers of at least one defense contractor in the US. The attack was detected on 27 July 2021. This incident led to the identification of three more defense contractors targeted by the same entity and the same backdoor.

Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defense contractors using the tools. Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor.

Palo Alto Network’s Unit 42

How are Windows Servers Hijacked?

According to Unit 42’s blog post, the connection hijacking is performed through using authentic Microsoft Detours library package. This package is used for Windows API call instrumentation and monitoring.

In one of the attacks, researchers noted that attackers also used a specific delivery server identified as a QNAP network-attacked storage device or NAS device. Typically, small businesses use this device or those infected with QLocker ransomware previously. Researchers believe threat actors exploited a remote code execution bug tracked as CVE-2021-28799 to access the server.

SockDetour’s workflow (Image: Unit 42)

More Fileless malware news

  1. Fileless WannaMine Cryptojacking Malware Using NSA Exploit
  2. Thousands of Windows PCs infected by Nodersok fileless malware
  3. Rise of Fileless Malware: Telecoms, Banks, Gov’t Orgs Under Attack
  4. Fileless Cryptocurrency Miner Hits Windows Using EternalBlue Flaw
  5. Gootloader fileless malware exploits websites to spread ransomware

Possible Perpetrator

Researchers at Unit 42 suspect that the SockDetour backdoor is used in attacks carried out by an APT (advanced persistent threat) group called TiltedTemple. The group made headlines when it exploited vulnerabilities in Zoho products such as ServiceDesk Plus (CVE-2021-44077) and ManageEngine ADSelfService Plus (CVE-2021-40539).

This suspicion is based on the tools and tactics that match APT27’s previous malicious activities where the group primarily targeted defense, aerospace, technology, manufacturing, government, and energy sectors in espionage campaigns.

Related Posts