A custom malware named SockDetour was recently found on U.S. defense contractors’ machines and works filelessly and socketlessly on infected Windows servers by hijacking network connections, making it harder to detect. SockDetour has been used as a backup backdoor to maintain access to compromised networks. The connection hijack is accomplished using an actual Microsoft Detours library package normally used for Windows API call monitoring and instrumentation. There may be a connection between SockDetour and a malicious activity cluster that may be the work of a Chinese-sponsored group called APT27.
Are you a US Defense contractor or sub-contractor? Schedule a Cyber Health Checkup today to discuss how your organization can protect valuable data.
