Last Updated on 26/02/2022 by Nidhi Khandelwal
SockDetour, a previously unreported and stealthy bespoke virus that targeted U.S.-based defense contractors with the objective of being deployed as a secondary implant on compromised Windows hosts, has been revealed by cybersecurity experts.
“SockDetour is a backdoor that is meant to remain stealthy on hacked Windows servers so that it can serve as a backup backdoor in the event the primary one fails,” according to a report issued Thursday by Palo Alto Networks’ Unit 42 threat intelligence. “Because it operates filelessly and socketlessly on hacked Windows servers, it’s tough to detect.”
Even more alarming, according to a compilation timestamp on the sample, SockDetour has been used in assaults since at least July 2019, meaning that the backdoor has escaped detection for almost two and a half years.
TiltedTemple (aka DEV-0322 by Microsoft) is a designated moniker for a hacking group operating out of China that was instrumental in exploiting zero-day flaws in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus deployments as a launchpad for malware attacks last year, according to the company.
One of the command-and-control (C2) servers used to aid the dissemination of malware for the late 2021 campaigns also hosted the SockDetour backdoor, as well as a memory dumping programme and multiple web shells for remote access.
According to Unit 42, it discovered evidence of at least four defense contractors being targeted by the new wave of attacks, with one of them being compromised.
The incursions are also a month ahead of the attacks that occurred in August 2021 using compromised Zoho ManageEngine servers. According to the investigation, SockDetour was transmitted to a US-based defense firm via an external FTP server.