Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

APT

Fileless SockDetour backdoor targets U.S.-based defense contractors

Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors. Cybersecurity researchers from Palo Alto Networks’ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors. According to the experts, the SockDetour backdoor has been in the wild since at least July 2019. Unit 42 attributes […]

SockDetour backdoor

Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors.

Cybersecurity researchers from Palo Alto Networks’ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors.

According to the experts, the SockDetour backdoor has been in the wild since at least July 2019.

Unit 42 attributes the malware to an APT campaign codenamed TiltedTemple (aka DEV-0322), threat actors also exploited the Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) and ServiceDesk Plus vulnerability (CVE-2021-44077). The attackers successfully compromised more than a dozen organizations across multiple industries, including technology, energy, healthcare, education, finance and defense.

SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. The analysis of one of the command and control (C2) servers used by TiltedTemple operators revealed the presence of other miscellaneous tools, including memory dumping tool and several webshells.

“SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,” reads the analsysi published by Palo Alto Networks. “It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.”

Once SockDetour is injected into the process’s memory, it hijacks legitimate processes’ network sockets to establish an encrypted C2 channel, then it loads an unidentified plugin DLL file retrieved from the server.

SockDetour backdoor

According to Microsoft DEV-0322 is an APT group based in China, which employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation in July 2021.

At least four defense contractors were targeted by the threat actor, and one of them was compromised.

SockDetour was delivered from an external FTP server, a compromised QNAP to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021. The researchers speculate the QNAP NAS server was previously infected with QLocker ransomware.

“While it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely been in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour samples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]