How can we help?
Threat researchers investigating an APT campaign have uncovered evidence of a stealthy custom backdoor, believed to have been in use since 2019. The tool uses legitimate Windows monitoring techniques to hijack open ports belonging to existing network services. This avoids having to create new listeners that can tip off defenders.
Before being implanted, the tool was hosted via FTP on a QNAP NAS, likely compromised using CVE-2021-28799. Other hacking tools were also found on the server.
The backdoor is injected into the memory of an running process without touching the disk and makes network connections using an existing TCP socket without creating any new network connections.
During incident response, if memory dumps are available, investigators can scan memory dump for signs of the backdoor using a provided YARA signature.
Indicators of Compromise
PowerSploit Memory Injectors Delivering SockDetour
Public Key Embedded in SocketDetour
—–BEGIN PUBLIC KEY—–MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWD9BUhQQZkagIIHsCdn/wtRNXcYoEi3Z4PhZkH3mar20EONVyXWP/YUxyUmxD+aTOVp3NB+XYOO9LqQEAWgyGndXyyuDssLWTb7z54n8iDu2pqiAEvJ6h18iwf0EwZ1BzPBDS1Kw+JE4tYIR860rD1DBul0u6OURqMPb5eZT1bQIDAQAB—–END PUBLIC KEY—–
This was targeted at US defence contractors. Some of the TTPs of the TiltedTemple campaign were associated with APT27 aka Emissary Panda but the researchers stopped short of formal attribution.