Meet SockDetour fileless backdoor targeting U.S. Defense contractors

Researchers suspect that the SockDetour backdoor is used in attacks carried out by an APT (advanced persistent threat) group known as TiltedTemple.

Palo Alto Network’s Unit 42 researchers discovered a tool that could be used as a backup backdoor if the primary backdoor gets deleted by defenders. Its principal function is to maintain access to infected networks. This custom malware, dubbed SockDetour, launched targeted attacks on US defense contractors.

SockDetour in Use Since 2019

According to Unit 42’s research team, SockDetour payload’s operators kept it under the radar for over three years as it was used for the first time in the wild in 2019. The malware’s stealthiness is lethal and can operate socketlessly and filelessly on compromised Windows servers after hijacking network connections, making it difficult to detect it at the network and host levels. It is compiled in 64-bit PE file format.

SockDetour Capabilities

The malware lets attackers stay on compromised Windows servers stealthily. This is achieved by loading in legit service processes filelessly and utilizing authentic network sockets of the processes to establish its encrypted C2 channel.

At Least 4 US Defense Contractors Targeted

Researchers initially observed that the malware was deployed onto the Windows servers of

Read More: