SockDetour backdoor used in attacks on defense contractors, says Unit 42

Researchers at Palo Alto Network’s Unit 42 said they discovered a tool — named SockDetour — that serves as a backup backdoor in case the primary one is removed. They believe it’s possible that is has “been in the wild since at least July 2019.”

The researchers said it stood out and is hard to detect because it operations filelessly and socketlessly on compromised Windows servers.

“One of the command and control (C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as one campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple threat actors,” the researchers explained. 

“Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting US-based defense contractors using the tools. Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor.”

SockDetour allows attackers to remain stealthily on compromised Windows servers by loading filelessly in legitimate service processes and using legitimate processes’ network sockets to establish its own encrypted C2 channel.

The researchers did not find any additional SockDetour samples on public repositories, and the plugin DLL remains unknown. They added that it is being delivered through SockDetour’s encrypted channel and communicating via hijacked sockets.

Unit 42 noted that the type of NAS server found hosting SockDetour is typically used by small businesses. 

The company tied the backdoor to a larger APT campaign they named TiltedTemple. They first identified TiltedTemple while investigating its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. 

“Our initial publications on TiltedTemple focused on attacks that occurred through compromised ManageEngine ADSelfService Plus servers and through ManageEngine ServiceDesk Plus,” the researchers said. 

“The TiltedTemple campaign has compromised organizations across the technology, energy, healthcare, education, finance, and defense industries and conducted reconnaissance activities against these industries and others, including infrastructure associated with five US states. We found SockDetour hosted on infrastructure associated with TiltedTemple, though we have not yet determined whether this is the work of a single threat actor or several.”