SocGholish | |
Addittional names | FakeUpdates |
Type of Malware | Loader |
Date of initial activity | 2017 |
Country of Origin | Russia |
Targeted Countries | Poland |
Associated Groups | Mustard Tempest (GOLD PRELUDE), Indrik Spider, UNC1543, TA569, Evil Corp |
Motivation | Financial Gain |
Attack Vectors | SocGholish uses social engineering to infect systems: it tricks users into running a malicious JavaScript payload that masquerades as a system or software update, such as a critical browser update. SocGholish operators have also infected legitimate websites by injecting a drive-by-download mechanism that triggers the download of the payload through a second-stage server. |
Targeted System | Windows |
Tools | GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult. |
Overview
SocGholish is a JavaScript-based loader malware that has been active since at least 2017. It has been observed targeting multiple sectors globally for initial access, primarily through drive-by-downloads that masquerade as software updates.
SocGholish is operated by Mustard Tempest, and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads such as CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT. SocGholish has been heavily used by UNC1543, a financially motivated group.
Since mid-2022, SocGholish operators have significantly diversified and expanded their infrastructure for staging malware with new servers. This helps the operators counter defensive operations against known servers and scale up their operations.
SocGholish operators have been introducing an average of 18 new malware-staging servers per month, with varying server uptimes. This marks an increase of 334% compared to the same average calculated over the first half of 2022. The majority of the new servers have been located in Europe, with the Netherlands, the United Kingdom, and France at the top of the list.
Targets
Multiple sectors globally.
How they operate
SocGholish, operated by the threat actor group TA569, exemplifies a sophisticated approach to malware deployment and exploitation in the cybersecurity landscape. This malware variant thrives on a blend of social engineering tactics and technical sophistication, making it a formidable challenge for defenders. The modus operandi of SocGholish begins with its delivery mechanism: typically through phishing emails containing links to compromised legitimate websites. These websites have been injected with malicious JavaScript, which executes when the victim accesses the site.
Upon loading, the JavaScript performs initial eligibility checks on the victim’s system, ensuring it meets specific criteria such as being a Windows host and originating from an external source. If these conditions are met, SocGholish proceeds to present the victim with a prompt disguised as a legitimate browser update or similar software download. This tactic leverages trust and familiarity to coax the victim into downloading and executing the malicious payload.
Once executed, SocGholish enters a multi-stage attack chain. It begins with reconnaissance using Windows Management Instrumentation (WMI) calls to gather detailed information about the victim’s system, including domain trusts, usernames, and computer names. This reconnaissance phase is crucial for TA569 as it allows them to assess the potential value of the compromised system and tailor subsequent actions accordingly.
The malware’s evasion techniques are notable, designed to evade detection and analysis. SocGholish employs obfuscation methods within its JavaScript code, complicating efforts by incident responders to analyze its behavior. This careful campaign management by TA569 not only enhances the malware’s effectiveness but also prolongs its operational lifespan by staying under the radar of security defenses.
In terms of impact, SocGholish has been observed targeting users across multiple countries, including Poland, Italy, France, Iran, Spain, Germany, the United Kingdom, and the United States. This widespread geographic targeting underscores the global reach and ambition of TA569, who likely monetize their access through subsequent malware deployments like ransomware or remote access trojans (RATs).
MITRE tactics and techniques
T1566.001 – Phishing: Spearphishing Link: SocGholish is often delivered through phishing emails containing links to compromised websites where malicious JavaScript is injected.
T1059.007 – Command and Scripting Interpreter: JScript Execution via wscript: SocGholish uses JScript executed via Windows Script Host (wscript) to gather local computer information.
T1033 – System Owner/User Discovery: SocGholish identifies the current user context and privileges on the compromised system, often using commands like whoami.
T1482 – Domain Trust Discovery: SocGholish discovers domain trusts within the compromised network environment, typically through tools like nltest.
Significant Malware Campaigns
- Some of the notable incidents involving SocGholish include:WastedLocker Ransomware Attacks: TA569 has been linked to deploying WastedLocker ransomware following initial access gained through SocGholish. This ransomware variant is known for its targeted attacks on high-profile organizations, encrypting critical data and demanding substantial ransom payments for decryption.Hive Ransomware Campaigns: Similar to WastedLocker, Hive ransomware has been observed in attacks attributed to TA569. It operates with a focus on encryption and extortion, exploiting vulnerabilities and gaining access through SocGholish-infected systems.
LockBit Ransomware Deployments: TA569 has also been involved in deploying LockBit ransomware, another variant used in targeted ransomware attacks. LockBit is known for its aggressive encryption methods and demands for ransom payments, often causing significant disruptions to victim organizations.
