SockDetour Backup Backdoor Targets US Defense ContractorsReport: Silent, Fileless, Socketless Backdoor Difficult to Detect
An advanced persistent threat campaign named TiltedTemple is now using a sophisticated tool called SockDetour to maintain persistence and target U.S. defense contractors, according to researchers at Palo Alto's Unit 42.
Unit 42 researchers first identified TiltedTemple in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability tracked as CVE-2021-40539 and ServiceDesk Plus vulnerability tracked as CVE-2021-44077.
The researchers say the threat actors are using a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology, energy, healthcare, education, finance and defense industries.
"We believe the threat actor behind SockDetour has been focused on targeting U.S.-based defense contractors using the tools. Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor. We also believe that SockDetour has been in the wild since at least July 2019," the researchers say.
They could not identify any additional SockDetour samples on public repositories and say they assume that the backdoor successfully stayed under the radar for a long time.
The researchers say SockDetour is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails.
"It is difficult to detect since it operates filelessly and socketlessly on compromised Windows servers," the researchers say. "One of the command-and-control infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells."
The TitledTemple campaign was initially identified as starting in August 2021. The researchers discovered evidence that SockDetour was being delivered from an external FTP server to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021.
The FTP server that hosted SockDetour was a compromised Quality Network Appliance Provider small office and home office network-attached storage server, the researchers say.
"The NAS server is known to have multiple vulnerabilities, including a remote code execution vulnerability, CVE-2021-28799. This vulnerability was leveraged by various ransomware families in massive infection campaigns in April 2021. We believe the threat actor behind SockDetour likely also leveraged these vulnerabilities to compromise the NAS server. In fact, the NAS server was already infected with QLocker from previous ransomware campaigns."
The backdoor SockDetour is compiled in 64-bit PE file format that works on Windows operating systems that are running services with listening TCP ports. Researchers say that the backdoor is capable of hijacking network connections made to the preexisting network socket and establishes an encrypted C2 channel with the remote threat actor via the socket.
"Thus, SockDetour requires neither opening a listening port from which to receive a connection nor calling out to an external network to establish a remote C2 channel. This makes the backdoor more difficult to detect from both host and network level," the researchers say.
To hijack an existing process’s socket, SockDetour needs to be injected into the process's memory, for which the threat actor converts SockDetour into a shellcode using an open-source shellcode generator called Donut framework. Then it uses the PowerSploit memory injector to inject the shellcode into target processes. Researchers found samples containing hard-coded target processes' IDs, which meant the threat actor manually chose the injection target processes from compromised servers.
"After SockDetour is injected into the target process, the backdoor leverages the Microsoft Detours library package, which is designed for the monitoring and instrumentation of API calls on Windows to hijack a network socket. Using the DetourAttach() function, it attaches a hook to the Winsock accept() function. With the hook in place, when new connections are made to the service port and the Winsock accept() API function is invoked, the call to the accept() function is re-routed to the malicious detour function defined in SockDetour," the researchers say.
But, they say, other non-C2 traffic is returned to the original service process to ensure the targeted service operates normally without interference. This whole process enables SockDetour to operate filelessly and socketlessly in compromised Windows servers and serves as a backup backdoor in case the primary backdoor is detected.
The backup backdoor, SockDetour serves one feature of loading a plug-in DLL.
"After the session key sharing, SockDetour receives four bytes of data from the client, which indicates the length of data SockDetour will receive for the final payload delivery stage. The size is expected to be smaller or equal to five MB. The final payload data received is encrypted using the shared session key. After decryption, the received data is expected to be in JSON format with two objects app and args. The app contains a base 64-encoded DLL, and args contains an argument to be passed to the DLL. SockDetour loads this plug-in DLL in newly allocated memory space, then calls an export function with the name ThreadProc with a function argument in the following JSON structure," the researchers say.