A stealthy custom backdoor has been targeting U.S.-based defense contractors. The malware, dubbed SockDetour, is believed to be active since July 2019.

The SockDetour backdoor

The backdoor is associated with an APT campaign named TiltedTemple (aka DEV-0322). Recently, four defense contractors were targeted and one was compromised.
  • SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. 
  • It was spread using an external FTP server from a compromised QNAP to a U.S.-based defense contractor.
  • According to researchers, the QNAP NAS server was earlier infected with QLocker ransomware.

Who is DEV-0322?

DEV-0322 is an APT group based in China that is known for using commercial VPN solutions and targeting consumer routers in previous attacks. Moreover, Microsoft first spotted the threat group in July 2021.

Additional insights

  • The analysis of one of the C2 servers used by TiltedTemple operators disclosed the existence of additional miscellaneous tools, such as various webshells and a memory dumping tool.
  • Once injected inside the process’s memory, it hijacks genuine processes’ network sockets to make an encrypted C2 channel. Further, it loads an unknown plugin DLL file obtained from the server.

Concluding notes

The SockDetour backdoor has been active for more than two years and, for most of this period, it stayed under the radar. For better protection, experts recommend leveraging threat analysis insights and always staying up-to-date with patches. Further, the researchers provided a YARA rule to detect the presence of SockDetour in a network.

Cyware Publisher