Monday, May 19, 2025
HomeCyber AttackFileless Malware SockDetour Remain stealthily on Compromised Windows servers

Fileless Malware SockDetour Remain stealthily on Compromised Windows servers

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers of Unit 42 have tracked an APT campaign and in that, they have noted a tool named SockDetour. 

It is a backup backdoor, and the threat actors have been using this tool since 2019. While this malware has specifically targeted U.S.-based defense contractors.

However, the main motive of the operators is to negotiate the windows hosts as a secondary implant. This backdoor has been designed to remain stealthily in compromised windows servers. In short, this backdoor serves as a backup in case the primary one fails.

- Advertisement - Google News

Connection with China

The APT campaign that has been detected by the experts of Unit 42 is Tilted temple, which has been using the SocketDetour backdoor tool.

Moreover, this campaign has previously been linked to attacks that are exploiting several vulnerabilities in Zoho products, which also include:- 

  • ManageEngine ADSelfservice Plus – CVE-2021-40539
  • ServiceDesk Plus – CVE-2021-44077

But in the month of November, the security experts of Unit 42 has suspected that the TiltedTemple campaign might have been working with a Chinese-sponsored threat group. 

However, till now there is no specific information regarding this, but the analysts have tracked the threat group as APT27. And they are trying their best to find all the possible information about the attack.

Campaigns Throughout 2021

After a proper investigation, it has been found that the TiltedTemple attacks focused on Zoho vulnerabilities, and in the whole world total of three different campaign has been initiated in the year 2021, and here we have mentioned below:-

  • An ADSelfService zero-day exploit between early August and mid-September.
  • An n-day AdSelfService exploit until late October.
  • A ServiceDesk one starting with October 25. 

Protections

However, there are some protection as well as mitigation that has been mentioned by the analysts of Unit 42. As they have asserted that the Cortex XDR eventually protects the endpoints as well as they identify the memory injector as malicious.

Not only this but the WildFire cloud-based threat analysis service also identifies the injector that has been used in this particular attack.

Apart from this, the customers of AutoFocus can easily track the SockDetour activity with the help of the SockDetour tag. Moreover, they also suggested that the server administrators should keep their windows servers always updated.

The operators of SockDetour have managed to convert SockDetour into a shellcode by using the Donut framework open-source shellcode generator.

That’s why it’s important for the administrators to keep their windows servers always updated. As this kind of attack creates a lot of problems and damages, it’s very important to stay alerted from this kind of attack.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...

Health Care Data Breach Costs BreachForums Admin $700,000 Fine

Conor Brian Fitzpatrick, the 22-year-old former administrator of cybercrime forum Breachforums, will forfeit approximately...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...