Researchers in cybersecurity have introduced SockDetour, a previously undocumented and stealthy custom malware that targeted US-based defence contractors with the goal of being used as a secondary implant on compromised Windows hosts.

Palo Alto Networks’ Unit 42 threat intelligence reported that ,” SockDetour is a backdoor designed to remain stealthily on compromised Windows servers in order to serve as a backup backdoor in the event that the primary one fails, It is difficult to detect because it operates on compromised Windows servers filelessly and socketlessly.”

The attacks have been related to a threat cluster known as TiltedTemple (also known as DEV-0322 by Microsoft), which is a brand known for a Chinese hacking group that was instrumental in exploiting zero-day flaws in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus deployments as a launchpad for malware attacks.

The links to TiltedTemple are due to overlaps in the attack infrastructure, with one of the command-and-control (C2) servers used to facilitate malware distribution for the late 2021 campaigns also hosting the SockDetour backdoor, as well as a memory dumping utility and numerous web shells for remote access.

According to campaign analysis , The intrusions also occur a month before the attacks that occurred through compromised Zoho ManageEngine servers in August 2021. SockDetour was delivered from an external FTP server to a U.S.-based defence contractor’s internet-facing Windows server on July 27, 2021.

SockDetour  is designed as a stand-in backdoor that takes down legitimate processes’ network sockets in order to establish its own encrypted C2 channel, after which it loads an unidentified plugin DLL file obtained from the server.

Finally  the researchers concluded that , “the FTP server that hosted SockDetour was a compromised Quality Network Appliance Provider (QNAP) small office and home office (SOHO) network-attached storage (NAS) server. The NAS server is known to have multiple vulnerabilities, including CVE-2021-28799, a remote code execution vulnerability.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Indicators of Compromise

SockDetour PE


PowerSploit Memory Injectors Delivering SockDetour


Public Key Embedded in SocketDetour


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s