Security researchers detected a new advanced persistent threat campaign, which was first identified in relation to the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077.
According to Palo Alto Unit 42, the threat actors behind the campaign used a number of techniques to access compromised systems and achieve persistence. More than a dozen organizations across various sectors have been compromised, including technology, energy, healthcare, finance, education, and defense. While analyzing this campaign, Palo Alto uncovered an additional sophistical tool, which they called SockDetour.
What Is SockDetour?
SockDetour is a custom backdoor, which can also act as a backup backdoor in case the primary one is removed from the compromised system. The analysis shows that it is difficult to detect, as it operates in a fileless and socketless mode on the affected Windows servers. The backdoor has been tracked in the Tilted Temple campaign, where it has been used with “other miscellaneous tools such as a memory dumping tool and several webshells.”
Palo Alto believes that SockDetour has been targeting U.S.-based defense contractors.
“Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor,” the report said. The researchers also believe that the sophisticated backdoor has been in the wild at least since July 2019. But since no additional samples of the malware were discovered, it seems that it successfully stayed under the radar for years.
The malware is a custom backdoor, compiled in a 64-bit PE file format, designed to serve as a backup backdoor. This purpose alone makes it a very stealthy and sophisticated backdoor.
SockDetour has been developed for the Windows operating system, running services with listening TCP ports. The backdoor can hijack network connections made to the pre-existing network socket and establish an encrypted command-and-control (C2) channel with the remote threat actors through the socket. In other words, the malware doesn’t need a listening port to receive a connection, nor does it need calling out to an external network to create a remote C2 channel. These conditions make SockDetour “more difficult to detect from both host and network level.”
To hijack existing sockets, the malware needs to be injected into the process’s memory. To make this possible, the malware coder converted SockDetour into a shellcode via Donut framework, an open source shellcode generator. Then, he used the PowerSploit memory injector to inject the shellcode into target processes. The researchers found proof that shows how the threat actor manually chose injection target processes on the compromised servers.
Once injection is completed, the backdoor utilizes the Microsoft Detours library package, designed for the monitoring and instrumentation of API calls on Windows to hijack a network socket.
Using the DetourAttach() function, it attaches a hook to the Winsock accept() function. With the hook in place, when new connections are made to the service port and the Winsock accept() API function is invoked, the call to the accept() function is re-routed to the malicious detour function defined in SockDetour. Other non-C2 traffic is returned to the original service process to ensure the targeted service operates normally without interference, the report said.
This implementation makes it possible for SockDetour to operate filelessly and socketlessly, serving as a backdoor in cases when the primary one has been detected and removed.
Another recently detected backdoor malware campaign targeted Windows, macOS, and Linux operating systems. Called SysJoker, the multi-platform malware was not detected by any of the security engines in VirusTotal, when it was first discovered. SysJoker was detected by Intezer researchers during an active attack on a Linux-based web server that belongs to a leading educational institution.