Palo Alto Network’s Unit 42 researchers recently uncovered a tool called SockDetour that acts as a backup backdoor if the original one is removed. They think that it might have “been in the wild since at least July 2019.” The researchers revealed that the backdoor, written in the 64-bit PE file format, stands out and is challenging to detect since it runs filelessly and socketlessly on hacked Windows servers.
“One of the command and control (C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as one campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple threat actors,” the researchers explained.
Considering the telemetry data obtained by Unit 42 and the analysis of the samples collected, they think the threat actor behind SockDetour has been employing the tools to target US-based defense businesses. According to Unit 42, at least four defense contractors have been targeted by this effort, with at least one of them compromised.
By loading filelessly in genuine service processes and exploiting legitimate processes’ network ports to construct its own encrypted C2 channel, SockDetour helps attackers to remain undetected on infected Windows servers. There were no more SockDetour samples found in public sources, and the plugin DLL is still unknown. They further said it’s being supplied using SockDetour’s encrypted route and communicating through hijacked sockets.
According to Unit 42, small firms often employ the NAS server seen hosting SockDetour. The backdoor was linked to TiltedTemple, a broader APT attack. They originally discovered TiltedTemple while looking into their usage of the Zoho ManageEngine ADSelfService Plus CVE-2021-40539 and ServiceDesk Plus CVE-2021-44077 vulnerabilities.
In August 2021, Unit 42 started looking into the TitledTemple campaign and discovered that SockDetour “was delivered from an external FTP server to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021.” As per Unit 42, the FTP server also housed other threat actor tools such as a memory dumping tool and ASP webshells. After researching the incident, the business discovered that the same perpetrator had attacked at least three additional U.S.-based defense contractors.
Unit 42 said that the threat actor used the Donut framework open-source shellcode generator to transform SockDetour into a shellcode. The backdoor “leverages the Microsoft Detours library package, which is designed for the monitoring and instrumentation of API calls on Windows to hijack a network socket” when injected into manually specified target processes.