[MART] - Daily Diary #460 - SockDetour Backdoor

CTAS-MAT ctas-mat at appgate.com
Thu Feb 24 21:51:08 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

02/24/2022 - Diary entry #460:

SockDetour is a backdoor, active since at least July 2019, used as redundancy by an APT operation tracked as TiltedTemple on compromised Microsoft Windows hosts. In case the primary Backdoor is disabled, SockDetour enters the scene acting as a very stealthy backup backdoor due to its fileless and socketless capabilities.

The threat actors behind SockDetour target mainly defense contractors in the U.S. and use several techniques to compromise and establish persistence in their targets' systems. In July 2021, a SockDetour attack was launched from an FTP server to compromise a Windows server host that belonged to a U.S.-based defense contractor. The used FTP server was deployed in a compromised NAS server that also contained other malicious tools like webshells and a memory dumping tool.

About the malware sample, SockDetour is a compiled 64-bit PE file that injects shellcode into a process's memory that has listening TCP ports, hijacking the network connections to communicate with its C2 server. After being injected, it uses the Microsoft Detours library to receive/send information to the C2 and to return non-C2 traffic to the original process to avoid detection.

APT groups are always innovating and SockDetour is an example of a stealth and dangerous threat used to successfully carry out TiltedTemple operation.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220224/cd46fa17/attachment.htm>


More information about the MART mailing list