Cybersecurity researchers have taken the wraps off a previously undocumented and stealthy custom malware called SockDetour that targeted U.S.-based defense contractors with the goal of being used as a secondary implant on compromised Windows hosts.
“SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,” Palo Alto Networks’ Unit 41 threat intelligence said in a report published Thursday. “It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers. “
Even more alarming, SockDetour has been suspected to be used in attacks at least since July 2019,, according to a compilation timestamp of the sample. This suggests that the backdoor was able to pass detection for well over two-and-a half years.
The attacks have been attributed to a threat cluster it tracks as TiltedTemple (aka DEV-0322 by Microsoft), which is designated moniker for a hacking group operating out of China and was instrumental in exploiting zero-day flaws in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus deployments as a launchpad for malware attacks last year.
The ties to TiltedTemple come from overlaps in the attack infrastructure, with one of the command-and-control (C2) servers that was used to facilitate the distribution of malware for the late 2021 campaigns also hosting the SockDetour backdoor, alongside a memory dumping utility and number of web shells for remote access.
Unit 42 said it unearthed evidence of at least four defense contractors targeted by the new wave of attacks, resulting in the compromise of one of them.
The intrusions predate by one month the August 2021 attacks through compromised Zoho ManageEngine server servers. Analysis of the campaign has revealed that SockDetour was delivered from an external FTP server to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021.
” The FTP server hosting SockDetour had been compromised by Quality Network Appliance provider (QNAP), small office and home office, (SOHO), network-attached storage server (NAS). “The NAS server is known to have multiple vulnerabilities, including a remote code execution vulnerability, CVE-2021-28799. “
Furthermore, it is believed that the QLocker ransomware was already on the server, raising suspicions about whether the TiltedTemple actor used the same vulnerability to gain unauthorised access.
SockDetour, for its part, is fashioned as a stand-in backdoor that hijacks legitimate processes network sockets to establish its own encrypted C2 channel, followed by loading an unidentified plugin DLL file retrieved from the server.
“Thus, SockDetour requires neither opening a listening port from which to receive a connection nor calling out to an external network to establish a remote C2 channel,” the researchers said. This makes it more difficult for the network and host to find the backdoor. “