Fileless Malware SockDetour Remain stealthily on Compromised Windows servers

The cybersecurity researchers of Unit 42 have tracked an APT campaign and in that, they have noted a tool named SockDetour. 

It is a backup backdoor, and the threat actors have been using this tool since 2019. While this malware has specifically targeted U.S.-based defense contractors.

However, the main motive of the operators is to negotiate the windows hosts as a secondary implant. This backdoor has been designed to remain stealthily in compromised windows servers. In short, this backdoor serves as a backup in case the primary one fails.

Connection with China

The APT campaign that has been detected by the experts of Unit 42 is Tilted temple, which has been using the SocketDetour backdoor tool.

Moreover, this campaign has previously been linked to attacks that are exploiting several vulnerabilities in Zoho products, which also include:- 

  • ManageEngine ADSelfservice Plus – CVE-2021-40539
  • ServiceDesk Plus – CVE-2021-44077

But in the month of November, the security experts of Unit 42 has suspected that the TiltedTemple campaign might have been working with a Chinese-sponsored threat group. 

However, till now there is no specific information regarding this, but the analysts have tracked the threat group as APT27. And they are trying their best to find all the possible information about the attack.

Campaigns Throughout 2021

After a proper investigation, it has been found that the TiltedTemple attacks focused on Zoho vulnerabilities, and in the whole world total of three different campaign has been initiated in the year 2021, and here we have mentioned below:-

  • An ADSelfService zero-day exploit between early August and mid-September.
  • An n-day AdSelfService exploit until late October.
  • A ServiceDesk one starting with October 25.

Protections

However, there are some protection as well as mitigation that has been mentioned by the analysts of Unit 42. As they have asserted that the Cortex XDR eventually protects the endpoints as well as they identify the memory injector as malicious.

Not only this but the WildFire cloud-based threat analysis service also identifies the injector that has been used in this particular attack.

Apart from this, the customers of AutoFocus can easily track the SockDetour activity with the help of the SockDetour tag. Moreover, they also suggested that the server administrators should keep their windows servers always updated.

The operators of SockDetour have managed to convert SockDetour into a shellcode by using the Donut framework open-source shellcode generator.

That’s why it’s important for the administrators to keep their windows servers always updated. As this kind of attack creates a lot of problems and damages, it’s very important to stay alerted from this kind of attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing over…

1 hour ago

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

12 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

12 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

12 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

12 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

16 hours ago