SockDetour backdoor used in attacks on defense contractors, says Unit 42

Researchers at Palo Alto Network's Unit 42 said they discovered a tool that serves as a backup backdoor in case the primary one is removed.
Written by Jonathan Greig, Contributor

Researchers at Palo Alto Network's Unit 42 said they discovered a tool -- named SockDetour -- that serves as a backup backdoor in case the primary one is removed. They believe it's possible that is has "been in the wild since at least July 2019."

The researchers said the backdoor, which is compiled in 64-bit PE file format, stood out and is hard to detect because it operations filelessly and socketlessly on compromised Windows servers. 

"One of the command and control (C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as one campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple threat actors," the researchers explained

"Based on Unit 42's telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting US-based defense contractors using the tools. Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor."

SockDetour allows attackers to remain stealthily on compromised Windows servers by loading filelessly in legitimate service processes and using legitimate processes' network sockets to establish its own encrypted C2 channel.

The researchers did not find any additional SockDetour samples on public repositories, and the plugin DLL remains unknown. They added that it is being delivered through SockDetour's encrypted channel and communicating via hijacked sockets.

Unit 42 noted that the type of NAS server found hosting SockDetour is typically used by small businesses. 

The company tied the backdoor to a larger APT campaign they named TiltedTemple. They first identified TiltedTemple while investigating its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. 

"Our initial publications on TiltedTemple focused on attacks that occurred through compromised ManageEngine ADSelfService Plus servers and through ManageEngine ServiceDesk Plus," the researchers said. 

"The TiltedTemple campaign has compromised organizations across the technology, energy, healthcare, education, finance, and defense industries and conducted reconnaissance activities against these industries and others, including infrastructure associated with five US states. We found SockDetour hosted on infrastructure associated with TiltedTemple, though we have not yet determined whether this is the work of a single threat actor or several."

Unit 42 began its investigation of the TitledTemple campaign in August 2021 and found evidence that SockDetour "was delivered from an external FTP server to a U.S.-based defense contractor's internet-facing Windows server on July 27, 2021." 

The FTP server also hosted other tools used by the threat actor, such as a memory dumping tool and ASP webshells, according to Unit 42. The company found that after analyzing the attack, at least three other U.S.-based defense contractors were targeted by the same actor.

"The FTP server that hosted SockDetour was a compromised Quality Network Appliance Provider (QNAP) small office and home office (SOHO) network-attached storage (NAS) server. The NAS server is known to have multiple vulnerabilities, including a remote code execution vulnerability, CVE-2021-28799," the researchers said. 

"This vulnerability was leveraged by various ransomware families in massive infection campaigns in April 2021. We believe the threat actor behind SockDetour likely also leveraged these vulnerabilities to compromise the NAS server. In fact, the NAS server was already infected with QLocker from the previous ransomware campaigns."

Unit 42 noted that the threat actor managed to convert SockDetour into a shellcode using the Donut framework open source shellcode generator. When injected into manually chosen target processes, the backdoor "leverages the Microsoft Detours library package, which is designed for the monitoring and instrumentation of API calls on Windows to hijack a network socket."

Editorial standards