Fileless Malware SockDetour

The cybersecurity researchers of Unit 42 have tracked an APT campaign and in that, they have noted a tool named SockDetour. 

It is a backup backdoor, and the threat actors have been using this tool since 2019. While this malware has specifically targeted U.S.-based defense contractors.

However, the main motive of the operators is to negotiate the windows hosts as a secondary implant. This backdoor has been designed to remain stealthily in compromised windows servers. In short, this backdoor serves as a backup in case the primary one fails.

Connection with China

The APT campaign that has been detected by the experts of Unit 42 is Tilted temple, which has been using the SocketDetour backdoor tool.

Moreover, this campaign has previously been linked to attacks that are exploiting several vulnerabilities in Zoho products, which also include:- 

  • ManageEngine ADSelfservice Plus – CVE-2021-40539
  • ServiceDesk Plus – CVE-2021-44077

But in the month of November, the security experts of Unit 42 has suspected that the TiltedTemple campaign might have been working with a Chinese-sponsored threat group. 

However, till now there is no specific information regarding this, but the analysts have tracked the threat group as APT27. And they are trying their best to find all the possible information about the attack.

Campaigns Throughout 2021

After a proper investigation, it has been found that the TiltedTemple attacks focused on Zoho vulnerabilities, and in the whole world total of three different campaign has been initiated in the year 2021, and here we have mentioned below:-

  • An ADSelfService zero-day exploit between early August and mid-September.
  • An n-day AdSelfService exploit until late October.
  • A ServiceDesk one starting with October 25. 


However, there are some protection as well as mitigation that has been mentioned by the analysts of Unit 42. As they have asserted that the Cortex XDR eventually protects the endpoints as well as they identify the memory injector as malicious.

Not only this but the WildFire cloud-based threat analysis service also identifies the injector that has been used in this particular attack.

Apart from this, the customers of AutoFocus can easily track the SockDetour activity with the help of the SockDetour tag. Moreover, they also suggested that the server administrators should keep their windows servers always updated.

The operators of SockDetour have managed to convert SockDetour into a shellcode by using the Donut framework open-source shellcode generator.

That’s why it’s important for the administrators to keep their windows servers always updated. As this kind of attack creates a lot of problems and damages, it’s very important to stay alerted from this kind of attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Leave a Reply