SockDetour Backdoor

A new tool called SockDetour has been discovered that acts as a backup backdoor if the original one is removed. Written in the 64-bit PE file format, stands out and is challenging to detect since it runs filelessly and socketlessly on hacked Windows servers.

One of the C2 infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells.

The threat actor behind SockDetour has been employing the tools to target US-based defense businesses. According to Unit 42, at least four defense contractors have been targeted by this effort, with at least one of them compromised.

By loading filelessly in genuine service processes and exploiting legitimate processes’ network ports to construct its own encrypted C2 channel, SockDetour helps attackers to remain undetected on infected Windows servers. There were no more SockDetour samples found in public sources, and the plugin DLL is still unknown. They further said it’s being supplied using SockDetour’s encrypted route and communicating through hijacked sockets.

As per Unit 42, small firms often employ the NAS server seen hosting SockDetour. The backdoor was linked to TiltedTemple, a broader APT attack. They originally discovered TiltedTemple while looking into their usage of the Zoho ManageEngine ADSelfService Plus CVE-2021-40539 and ServiceDesk Plus CVE-2021-44077 vulnerabilities.

Unit 42 said that the threat actor used the Donut framework open-source shellcode generator to transform SockDetour into a shellcode. The backdoor “leverages the Microsoft Detours library package, which is designed for the monitoring and instrumentation of API calls on Windows to hijack a network socket” when injected into manually specified target processes.