The company said Thursday SockDetour functions as a backup backdoor in the event that the first backdoor is removed and is hard to detect because it “operates filelessly and socketlessly on compromised Windows servers.”
Four defense vendors were targeted by the malware and at least one entity has been compromised, according to evidence collected by Palo Alto Networks’ Unit 42.
According to Unit 42, the SockDetour-related attacks were part of the TiltedTemple advanced persistent threat campaign that compromised and carried out reconnaissance operations against organizations across defense, finance, technology, education, energy and health care industries, including infrastructure linked to five U.S. states.
The company said SockDetour is believed to have been active since July 2019 and evaded detection because the unit did not find on public repositories any additional samples of the custom backdoor.
“We found SockDetour hosted on infrastructure associated with TiltedTemple, though we have not yet determined whether this is the work of a single threat actor or several,” the report reads.