Researchers at Palo Alto Network’s Unit 42 said they discovered a tool — named SockDetour — that serves as a backup backdoor in case the primary one is removed. They believe it’s possible that is has “been in the wild since at least July 2019.”
The researchers said the backdoor, which is compiled in 64-bit PE file format, stood out and is hard to detect because it operations filelessly and socketlessly on compromised Windows servers.
“One of the command and control (C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as one campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple threat actors,” the researchers explained.
“Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting US-based defense contractors using the tools. Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor.”
SockDetour allows attackers to remain stealthily on compromised Windows servers by loading filelessly in legitimate service processes and using legitimate processes’ network sockets to establish its own encrypted C2 channel.
The researchers did not find any additional SockDetour samples on public repositories, and the plugin DLL remains unknown.