New "SockDetour" Fileless, Socketless Backdoor Targets U.S. Defense Contractors

2022-02-28 20:24

Cybersecurity researchers have taken the wraps off a previously undocumented and stealthy custom malware called SockDetour that targeted U.S.-based defense contractors with the goal of being used as a secondary implant on compromised Windows hosts.

"SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails," Palo Alto Networks' Unit 41 threat intelligence said in a report published Thursday.

The ties to TiltedTemple come from overlaps in the attack infrastructure, with one of the command-and-control servers that was used to facilitate the distribution of malware for the late 2021 campaigns also hosting the SockDetour backdoor, alongside a memory dumping utility and number of web shells for remote access.

Unit 42 said it unearthed evidence of at least four defense contractors targeted by the new wave of attacks, resulting in the compromise of one of them.

Analysis of the campaign has revealed that SockDetour was delivered from an external FTP server to a U.S.-based defense contractor's internet-facing Windows server on July 27, 2021.

"The FTP server that hosted SockDetour was a compromised Quality Network Appliance Provider small office and home office network-attached storage server," the researchers pointed out.

News URL

https://thehackernews.com/2022/02/new-sockdetour-fileless-socketless.html

#backdoor #defense