Researchers have found a new tactic from threat actors to ensure continued access to compromised systems. While analyzing the TiltedTemple APT campaign, researchers found a new backdoor, “SockDetour,” serving as a backup backdoor.
TiltedTemple Campaign And SockDetour Backdoor
As elaborated in a detailed post, Palo Alto Networks Unit42 researchers observed the SockDetour backdoor in TiltedTemple APT campaigns spotted recently.
The malicious campaign first caught the researchers’ attention when it exploited the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. (The same Zoho ManageEngine vulnerability also led to the devastating Red Cross cyber attack recently.)
However, what made the campaign unique was using the SockDetour backdoor. It’s a new tool that serves as a backup backdoor if the primary backdoor gets removed from the target system. SockDetour is a powerful tool as it runs socketlessly and filelessly on Windows servers. Hence, it stays under the radar despite functioning actively.
Explaining more about it, the researchers stated,
It works on Windows operating systems that are running services with listening TCP ports. It hijacks network connections made to the pre-existing network socket and establishes an encrypted C2 channel with the remote threat actor via the socket. Thus, SockDetour requires neither opening a listening port from which to receive a connection nor calling out to an external network to establish a remote C2 channel.
SockDetour typically performs one main activity when injected as a backdoor – loading a (yet unknown) plugin DLL.
Researchers have presented a detailed technical analysis of the backdoor in their post.
SockDetour Active Since 2019
This malicious campaign employed various measures to compromise target systems. The threat actors behind this campaign had a diversified hit-list spanning multiple sectors. These include energy, health, defense, finance, education, and technology. The threat actors have already compromised numerous businesses.
However, the campaign deploying SockDetour appeared more focused on the defense sector. As stated in the post,
Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defense contractors using the tools. Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor.
SockDetour attacks seemingly gained momentum in 2021, but it presumably exists since 2019. It remains unclear if the attacks link back to the same threat actor group or different groups.