RESEARCH: Who is SocGholish?

SocGholish is a sophisticated malware family that has been active since at least April 2018. It is primarily known for its drive-by-download method, masquerading as software updates to trick users into executing malicious JavaScript payloads. This malware is often associated with the threat actor group TA569, which is considered an Initial Access Broker (IAB). The importance of understanding SocGholish lies in its widespread impact across various industry verticals and its role in facilitating further malicious activities, including ransomware attacks.

The research involved reviewing multiple sources to gather comprehensive information on SocGholish, including its tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and any available Yara rules. The sources consulted include detailed reports from Proofpoint, Red Canary, and other cybersecurity firms.

Assessment Rating

Rating: HIGH

The assessment rating for SocGholish is HIGH due to its sophisticated methods of infection, widespread impact, and its role as an Initial Access Broker. The malware's ability to evade detection through various obfuscation techniques and its use in delivering secondary payloads, including ransomware, pose significant threats to organizations.

Findings

Infection Methodology: SocGholish primarily uses drive-by-downloads masquerading as software updates to trick users into executing malicious JavaScript payloads. The infection chain often begins with a user visiting a compromised website.
Tactics, Techniques, and Procedures (TTPs): SocGholish employs various TTPs, including the use of Traffic Distribution Systems (TDS) to direct victims through attacker-controlled infrastructure, and obfuscation techniques such as base64 encoding and string padding.
Secondary Payloads: SocGholish often serves as a precursor to other malware, including remote access trojans (RATs) like NetSupport, and ransomware families such as Lockbit and WastedLocker.
Indicators of Compromise (IoCs): Multiple IoCs were identified, including specific domains, IP addresses, and file hashes associated with SocGholish's command and control (C2) infrastructure.
Persistence and Evasion: SocGholish uses techniques like "strobing" to reinfect websites that have undergone remediation, making it challenging for incident response teams to detect and remove the malware.

Indicators of Compromise

Domains:
- soendorg[.]top
- accounts.mynewtopboyfriend[.]store
- active.aasm[.]pro
- actors.jcracing[.]com
- amplier.myjesusloves[.]me
- auction.wonderwomanquilts[.]com
- automatic.tworiversboats[.]com
- baget.godmessaged[.]me
- basket.stylingtomorrow[.]com
- brooklands.harteverything[.]com
IPs:
- 45.10.42[.]26
- 45.10.43[.]78
- 91.208.197[.]151
- 91.208.197[.]229
- 91.219.238[.]223
- 141.94.63[.]231
- 141.136.35[.]148
- 153.92.223[.]141
- 159.69.101[.]84
- 167.235.236[.]131
File Hashes:
- NetSupport .exe: 8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64
- NetSupport .iso: c1dadb7ed2a9ba97bd440dcfc18519da5887f473d9f635a0975d742fa3f80ee6
- SolarMarker: 18aeff0a97dfd33b6f0664f43ecafd18511af559002072f680a4e5929a9c7e4f
- Redline Stealer: 52b43d0f11bca924e2ef8d7863309c337910f6a542bf990446b8cd3f87b0800e

Yara Rules

Yara Rule 1:

rule SocGholish_JS {
    meta:
        description = "Detects SocGholish JavaScript payload"
    strings:
        $a = "function updateBrowser()"
        $b = "document.createElement('script')"
        $c = "window.location.href"
    condition:
        all of them
}

Yara Rule 2:

rule SocGholish_ZIP {
    meta:
        description = "Detects SocGholish ZIP files"
    strings:
        $a = "PK\x03\x04" // ZIP file header
        $b = "Update.js"
    condition:
        $a at 0 and $b
}

Recommendations, Actions and Next Steps

User Education: Educate users about the risks of downloading and executing software updates from untrusted sources. Regular training sessions should be conducted to raise awareness about phishing and drive-by-download attacks.
Network Monitoring: Implement network monitoring to detect and block traffic to known malicious domains and IP addresses associated with SocGholish. Utilize threat intelligence feeds to stay updated on new IoCs.
Endpoint Protection: Deploy endpoint protection solutions that can detect and block the execution of malicious JavaScript files. Configure these solutions to prevent automatic execution of .js and .jse files.
Regular Audits: Conduct regular security audits of websites and web applications to identify and remediate vulnerabilities that could be exploited for injection attacks.
Incident Response: Develop and maintain an incident response plan that includes procedures for detecting, containing, and eradicating SocGholish infections. Ensure that incident response teams are trained to handle such threats.
File Integrity Monitoring: Implement file integrity monitoring to detect unauthorized changes to critical files and directories. This can help identify the presence of malicious injections on compromised websites.
Patch Management: Ensure that all software and systems are up-to-date with the latest security patches. This reduces the attack surface and mitigates the risk of exploitation by SocGholish and other malware.

References and Citations

APPENDIX

Mitre ATTACK TTPs

Mitre ATTACK Mitigations

Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?

This baseline report was thoughtfully researched and took 5 minutes to create.. It's meant to be a rough draft for you to enhance with the unique insights that make you a superstar analyst. We just did the initial grunt work..

Join the the waiting list.