Home / About / Threat Intelligence / New Chinese Malware, SockDetour

Overview

Threat researchers investigating an APT campaign have uncovered evidence of a stealthy custom backdoor, believed to have been in use since 2019. The tool uses legitimate Windows monitoring techniques to hijack open ports belonging to existing network services. This avoids having to create new listeners that can tip off defenders.

Before being implanted, the tool was hosted via FTP on a QNAP NAS, likely compromised using CVE-2021-28799. Other hacking tools were also found on the server.

Impact

The backdoor is injected into the memory of an running process without touching the disk and makes network connections using an existing TCP socket without creating any new network connections.

Vulnerability Detection

During incident response, if memory dumps are available, investigators can scan memory dump for signs of the backdoor using a provided YARA signature.

Indicators of Compromise

SockDetour PE
0b2b9a2ac4bff81847b332af18a8e0705075166a137ab248e4d9b5cbd8b960df

PowerSploit Memory Injectors Delivering SockDetour
80ed7984a42570d94cd1b6dcd89f95e3175a5c4247ac245c817928dd07fc9540
bee2fe0647d0ec9f2f0aa5f784b122aaeba0cddb39b08e3ea19dd4cdb90e53f9
a5b9ac1d0350341764f877f5c4249151981200df0769a38386f6b7c8ca6f9c7a
607a2ce7dc2252e9e582e757bbfa2f18e3f3864cb4267cd07129f4b9a241300b
11b2b719d6bffae3ab1e0f8191d70aa1bade7f599aeadb7358f722458a21b530
cd28c7a63f91a20ec4045cf40ff0f93b336565bd504c9534be857e971b4e80ee
ebe926f37e7188a6f0cc85744376cdc672e495607f85ba3cbee6980049951889
3ea2bf2a6b039071b890f03b5987d9135fe4c036fb77f477f1820c34b341644e
7e9cf2a2dd3edac92175a3eb1355c0f5f05f47b7798e206b470637c5303ac79f
bb48438e2ed47ab692d1754305df664cda6c518754ef9a58fb5fa8545f5bfb9b

Public Key Embedded in SocketDetour
—–BEGIN PUBLIC KEY—–MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWD9BUhQQZkagIIHsCdn/wtRNXcYoEi3Z4PhZkH3mar20EONVyXWP/YUxyUmxD+aTOVp3NB+XYOO9LqQEAWgyGndXyyuDssLWTb7z54n8iDu2pqiAEvJ6h18iwf0EwZ1BzPBDS1Kw+JE4tYIR860rD1DBul0u6OURqMPb5eZT1bQIDAQAB—–END PUBLIC KEY—–

Threat Landscape

This was targeted at US defence contractors. Some of the TTPs of the TiltedTemple campaign were associated with APT27 aka Emissary Panda but the researchers stopped short of formal attribution.

Mitre Methodologies

T1205 Traffic Signaling
T1572 Protocol Tunneling
T1573 Encrypted Channel

Further Information

SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors