Monday, July 15, 2024

Fileless Malware SockDetour Remain stealthily on Compromised Windows servers

The cybersecurity researchers of Unit 42 have tracked an APT campaign and in that, they have noted a tool named SockDetour. 

It is a backup backdoor, and the threat actors have been using this tool since 2019. While this malware has specifically targeted U.S.-based defense contractors.

However, the main motive of the operators is to negotiate the windows hosts as a secondary implant. This backdoor has been designed to remain stealthily in compromised windows servers. In short, this backdoor serves as a backup in case the primary one fails.

Connection with China

The APT campaign that has been detected by the experts of Unit 42 is Tilted temple, which has been using the SocketDetour backdoor tool.

Moreover, this campaign has previously been linked to attacks that are exploiting several vulnerabilities in Zoho products, which also include:- 

  • ManageEngine ADSelfservice Plus – CVE-2021-40539
  • ServiceDesk Plus – CVE-2021-44077

But in the month of November, the security experts of Unit 42 has suspected that the TiltedTemple campaign might have been working with a Chinese-sponsored threat group. 

However, till now there is no specific information regarding this, but the analysts have tracked the threat group as APT27. And they are trying their best to find all the possible information about the attack.

Campaigns Throughout 2021

After a proper investigation, it has been found that the TiltedTemple attacks focused on Zoho vulnerabilities, and in the whole world total of three different campaign has been initiated in the year 2021, and here we have mentioned below:-

  • An ADSelfService zero-day exploit between early August and mid-September.
  • An n-day AdSelfService exploit until late October.
  • A ServiceDesk one starting with October 25. 


However, there are some protection as well as mitigation that has been mentioned by the analysts of Unit 42. As they have asserted that the Cortex XDR eventually protects the endpoints as well as they identify the memory injector as malicious.

Not only this but the WildFire cloud-based threat analysis service also identifies the injector that has been used in this particular attack.

Apart from this, the customers of AutoFocus can easily track the SockDetour activity with the help of the SockDetour tag. Moreover, they also suggested that the server administrators should keep their windows servers always updated.

The operators of SockDetour have managed to convert SockDetour into a shellcode by using the Donut framework open-source shellcode generator.

That’s why it’s important for the administrators to keep their windows servers always updated. As this kind of attack creates a lot of problems and damages, it’s very important to stay alerted from this kind of attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles