Tuesday, April 16, 2024

Fileless Malware SockDetour Remain stealthily on Compromised Windows servers

The cybersecurity researchers of Unit 42 have tracked an APT campaign and in that, they have noted a tool named SockDetour. 

It is a backup backdoor, and the threat actors have been using this tool since 2019. While this malware has specifically targeted U.S.-based defense contractors.

However, the main motive of the operators is to negotiate the windows hosts as a secondary implant. This backdoor has been designed to remain stealthily in compromised windows servers. In short, this backdoor serves as a backup in case the primary one fails.

Connection with China

The APT campaign that has been detected by the experts of Unit 42 is Tilted temple, which has been using the SocketDetour backdoor tool.

Moreover, this campaign has previously been linked to attacks that are exploiting several vulnerabilities in Zoho products, which also include:- 

  • ManageEngine ADSelfservice Plus – CVE-2021-40539
  • ServiceDesk Plus – CVE-2021-44077

But in the month of November, the security experts of Unit 42 has suspected that the TiltedTemple campaign might have been working with a Chinese-sponsored threat group. 

However, till now there is no specific information regarding this, but the analysts have tracked the threat group as APT27. And they are trying their best to find all the possible information about the attack.

Campaigns Throughout 2021

After a proper investigation, it has been found that the TiltedTemple attacks focused on Zoho vulnerabilities, and in the whole world total of three different campaign has been initiated in the year 2021, and here we have mentioned below:-

  • An ADSelfService zero-day exploit between early August and mid-September.
  • An n-day AdSelfService exploit until late October.
  • A ServiceDesk one starting with October 25. 

Protections

However, there are some protection as well as mitigation that has been mentioned by the analysts of Unit 42. As they have asserted that the Cortex XDR eventually protects the endpoints as well as they identify the memory injector as malicious.

Not only this but the WildFire cloud-based threat analysis service also identifies the injector that has been used in this particular attack.

Apart from this, the customers of AutoFocus can easily track the SockDetour activity with the help of the SockDetour tag. Moreover, they also suggested that the server administrators should keep their windows servers always updated.

The operators of SockDetour have managed to convert SockDetour into a shellcode by using the Donut framework open-source shellcode generator.

That’s why it’s important for the administrators to keep their windows servers always updated. As this kind of attack creates a lot of problems and damages, it’s very important to stay alerted from this kind of attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Hacker Customize LockBit 3.0 Ransomware to Attack Orgs Worldwide

Cybersecurity researchers at Kaspersky have uncovered evidence that cybercriminal groups are customizing the virulent...

Microsoft .NET, .NET Framework, & Visual Studio Vulnerable To RCE Attacks

A new remote code execution vulnerability has been identified to be affecting multiple Microsoft...

LightSpy Hackers Indian Apple Device Users to Steal Sensitive Data

The revival of the LightSpy malware campaign has been observed, focusing on Indian Apple...

LightSpy Malware Attacking Android and iOS Users

A new malware known as LightSpy has been targeting Android and iOS users.This sophisticated...

This Startup Aims To Simplify End-to-End Cybersecurity, So Anyone Can Do It

The Web3 movement is going from strength to strength with every day that passes....

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles