SockDetour is a new backdoor identified by the Unit42 research team and found on U.S. defense contractors’ networks as a backup backdoor to maintain persistence and access.
SockDetour is a customized backdoor acting as a backup backdoor if the main one is removed from the target systems. The analysis by the Unit42 research team shows this piece of malware is hard to detect as it operates based on a fileless and socketless mode. This backdoor was first identified in the TiltedTemple campaign and used with other tools, including memory dump utilities and various web shells.
According to telemetry data from the collected samples, “we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defense contractors,” says Unit 42’s analysts.
How SockDetour works
SockDetour is a simple 64bits binary file that does not require a listening port with its C2 server to communicate. Instead, it hijacks an existing socket, but before it needs to be injected into the memory via a fileless mode.
To achieve this step, criminals used the Donut framework to generate a shellcode of this binary and inject it into the memory by utilizing the PowerSploit memory injection utility. In detail, hardcoded processes’ IDs were found