Researchers in cybersecurity have introduced SockDetour, a previously undocumented and stealthy custom malware that targeted US-based defence contractors with the goal of being used as a secondary implant on compromised Windows hosts.

Palo Alto Networks’ Unit 42 threat intelligence reported that ,” SockDetour is a backdoor designed to remain stealthily on compromised Windows servers in order to serve as a backup backdoor in the event that the primary one fails, It is difficult to detect because it operates on compromised Windows servers filelessly and socketlessly.”

The attacks have been related to a threat cluster known as TiltedTemple (also known as DEV-0322 by Microsoft), which is a brand known for a Chinese hacking group that was instrumental in exploiting zero-day flaws in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus deployments as a launchpad for malware attacks.

The links to TiltedTemple are due to overlaps in the attack infrastructure, with one of the command-and-control (C2) servers used to facilitate malware distribution for the late 2021 campaigns also hosting the SockDetour backdoor, as well as a memory dumping utility and numerous web shells for remote access.

According to campaign analysis , The intrusions also occur a month before the attacks that occurred through compromised Zoho ManageEngine servers in August 2021. SockDetour was delivered from an external FTP server to a U.S.-based defence contractor’s internet-facing Windows server on July 27, 2021.

SockDetour  is designed as a stand-in backdoor that takes down legitimate processes’ network sockets in order to establish its own encrypted C2 channel, after which it loads an unidentified plugin DLL file obtained from the server.

Finally  the researchers concluded that , “the FTP server that hosted SockDetour was a compromised Quality Network Appliance Provider (QNAP) small office and home office (SOHO) network-attached storage (NAS) server. The NAS server is known to have multiple vulnerabilities, including CVE-2021-28799, a remote code execution vulnerability.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Indicators of Compromise

SockDetour PE

0b2b9a2ac4bff81847b332af18a8e0705075166a137ab248e4d9b5cbd8b960df

PowerSploit Memory Injectors Delivering SockDetour

80ed7984a42570d94cd1b6dcd89f95e3175a5c4247ac245c817928dd07fc9540
bee2fe0647d0ec9f2f0aa5f784b122aaeba0cddb39b08e3ea19dd4cdb90e53f9
a5b9ac1d0350341764f877f5c4249151981200df0769a38386f6b7c8ca6f9c7a
607a2ce7dc2252e9e582e757bbfa2f18e3f3864cb4267cd07129f4b9a241300b
11b2b719d6bffae3ab1e0f8191d70aa1bade7f599aeadb7358f722458a21b530
cd28c7a63f91a20ec4045cf40ff0f93b336565bd504c9534be857e971b4e80ee
ebe926f37e7188a6f0cc85744376cdc672e495607f85ba3cbee6980049951889
3ea2bf2a6b039071b890f03b5987d9135fe4c036fb77f477f1820c34b341644e
7e9cf2a2dd3edac92175a3eb1355c0f5f05f47b7798e206b470637c5303ac79f
bb48438e2ed47ab692d1754305df664cda6c518754ef9a58fb5fa8545f5bfb9b

Public Key Embedded in SocketDetour

—–BEGIN PUBLIC KEY—–MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWD9BUhQQZkagIIHsCdn/wtRNXcYoEi3Z4PhZkH3mar20EONVyXWP/YUxyUmxD+aTOVp3NB+XYOO9LqQEAWgyGndXyyuDssLWTb7z54n8iDu2pqiAEvJ6h18iwf0EwZ1BzPBDS1Kw+JE4tYIR860rD1DBul0u6OURqMPb5eZT1bQIDAQAB—–END PUBLIC KEY—–

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s