SockDetour: the backdoor impacting U.S. defense contractors
SockDetour is a new backdoor identified by the Unit42 research team and found on U.S. defense contractors’ networks as a backup backdoor to maintain persistence and access.
SockDetour is a customized backdoor acting as a backup backdoor if the main one is removed from the target systems. The analysis by the Unit42 research team shows this piece of malware is hard to detect as it operates based on a fileless and socketless mode. This backdoor was first identified in the TiltedTemple campaign and used with other tools, including memory dump utilities and various web shells.
According to telemetry data from the collected samples, “we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defense contractors,” says Unit 42’s analysts.
Become a certified reverse engineer!
How SockDetour works
SockDetour is a simple 64bits binary file that does not require a listening port with its C2 server to communicate. Instead, it hijacks an existing socket, but before it needs to be injected into the memory via a fileless mode.
To achieve this step, criminals used the Donut framework to generate a shellcode of this binary and inject it into the memory by utilizing the PowerSploit memory injection utility. In detail, hardcoded processes’ IDs were found by security experts during the backdoor analysis, a clear sign that criminals choose in advance the target processes to use along with the shellcode.
After executing in memory, the Microsoft Detours library is leveraged to hijack network sockets, making it hard to detect. By using the DetourAttach() WinCall, a hook is attached to the Winsock accept(), which allows the creation of a malicious proxy to intercept communications.
According to security experts, “with such implementation, SockDetour can operate filelessly and socketlessly in compromised Windows servers and serve as a backup backdoor if the primary backdoor is detected and removed by defenders.”
Figure 1: SockDetour backdoor high-level workflow (source).
As the backdoor is hijacking a legitimate service, it needs to implement a way of grouping legitimate traffic from its C2 server. In detail, it uses eight steps to filter the received packets and validate if it comes from its C2.
The data is received via recv() call with the MSG_PEEK function that will not interfere with the legitimate traffic. This is crucial to not cause any disruption to the service and remain stealthy over a long time.
Figure 2: SockDetour receives data with the MSG_PEEK option and verifies the data (source).
Regarding the features provided by this backdoor, only one is available: DLL plugin loading. The payload is received via the hijacked socket from its C2 server and is expected to be smaller or equal to 5 MB. After that, the payload is decoded and injected into the memory, taking advantage of the TreadProc export function and executed based on a JSON structure presented below.
Figure 3: JSON structure used to load the target DLL.
According to Unit42 analysis, “while plugin DLL samples were not discovered, the above function argument suggests that the plugin also likely communicates via the hijacked socket and encrypts the transaction using the session key.”
Become a certified reverse engineer!
A summary of SockDetour
SockDetour is a kind of backdoor created to bypass detection and remains hidden for a long time. The main purpose of this malware is to maintain access, acting as a backup backdoor if the primary one fails. As it uses a fileless and socketless approach, detecting it on the compromised machine and its communication is really hard.
The usage of host-based monitoring solutions and updated AV/EDR are the best measure to keep away threats of this nature as the vendors are updating their databases continually.
Sources:
- SockDetour analysis, Unit 42
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- SockDetour: the backdoor impacting U.S. defense contractors
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis