SockDetour backdoor compromised US-based defense contractors

SockDetour Backdoor Malware US Defense Contractors APT Tilted Temple

An elusive custom backdoor called SockDetour has been seen targeting US-based defense contractors. Researchers claimed that the malware used by the threat actors to target the contractors had been actively operating since three years ago.

The SockDetour backdoor is linked with an advanced persistent threat campaign known as TiltedTemple or DEV-0322. Four defense contractors were recently targeted by the backdoor, one of them compromised by the threat.


SockDetour is a malware that serves as a backup fileless Windows backdoor if security solutions remove the main backdoor.


Experts claimed that the threat actors distributed the backdoor by utilising an external File Transfer Protocol (FTP) server from a compromised QNAP to a US-based defense contractor. Threat actors recently leveraged QLocker ransomware to infect the QNAP NAS server.

The APT group TiltedTemple (DEV-0322) is based in China and widely utilises VPN solutions. The group has had two active campaigns; the first one targets consumer routers, and the other uses SockDetour to compromise contractors. Based on Microsoft’s observation, they first spotted the threat group in July last year.

The researchers’ examination of one of the command-and-control serves utilised by TiltedTemple threat actors revealed the presence of additional miscellaneous tools. These tools are web shells and a memory dumper.

Once the tools are placed inside the process’s memory, it hijacks natural network sockets to develop an encrypted command-and-control channel. It then loads an unknown plugin DLL file acquired from the C2 server.

The SockDetour malware backdoor has been rampaging secretly for more than a couple of years. Researchers said the threat is very hostile since they have long worked under their detection.

Experts recommend leveraging threat analysis insights and staying updated with patches for better protection against such threats. Furthermore, users must learn from pointers and security measures to detect the existence of SockDetour in a network.

About the author

Leave a Reply