SockDetour Malware

A fileless and socketless backdoor threat has been used to provide cybercriminals with backdoor access to already compromised computers. The threat is being tracked as the SockDetour malware, and details about its operation were released in a report by Palo Alto Network's Unit 42. 

According to their findings, SockDeteour has been managed to remain unnoticed by the cybersecurity community for at least three years since 2019. Its main purpose is to act as a secondary backdoor channel and allow the attackers to maintain their presence on the targeted machines. The threat is extremely stealthy, as it performs its operations by loading legit service processes filelessly and abusing authentic network sockets of the related processes to connect and maintain its encrypted Command-and-Control (C2, C&C) server channel.

Attribution and Targets

The infosec researchers at Unit 42 believe that SockDetour is part of the threatening arsenal of an APT (Advanced Persistent Threat) group known as APT27 or TiltedTemple. The group is known for its previous operations targeting corporate entities and agencies working in the defense, aerospace, government, energy, technology and manufacturing sectors. The apparent goal of the harmful operations is cyber espionage. 

The targets infected with SockDetour fit the already established profile. So far, the malware has been identified inside the network of one U.S.-based defense contract, while three others are believed to be targeted by the hackers.