SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated byMustard Tempest and its access has been sold to groups includingIndrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]
Associated Software Descriptions
| Name | Description |
|---|---|
| FakeUpdates |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .007 | Command and Scripting Interpreter:JavaScript | TheSocGholish payload is executed as JavaScript.[2][1][3][4] |
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | SocGholish can send output from |
| Enterprise | T1482 | Domain Trust Discovery | SocGholish can profile compromised systems to identify domain trust relationships.[2][3] | |
| Enterprise | T1189 | Drive-by Compromise | SocGholish has been distributed through compromised websites with malicious content often masquerading as browser updates.[2] | |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol:Exfiltration Over Unencrypted Non-C2 Protocol | SocGholish can exfiltrate data directly to its C2 domain via HTTP.[3] |
| Enterprise | T1105 | Ingress Tool Transfer | SocGholish can download additional malware to infected hosts.[3][4] | |
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | SocGholish has been named |
| Enterprise | T1027 | .013 | Obfuscated Files or Information:Encrypted/Encoded File | SocGholish has single or double Base-64 encoded references to its second-stage server URLs.[1] |
| .015 | Obfuscated Files or Information:Compression | TheSocGholish JavaScript payload has been delivered within a compressed ZIP archive.[3][4] | ||
| Enterprise | T1566 | .002 | Phishing:Spearphishing Link | SocGholish has been spread via emails containing malicious links.[2] |
| Enterprise | T1057 | Process Discovery | SocGholish can list processes on targeted hosts.[4] | |
| Enterprise | T1518 | Software Discovery | SocGholish can identify the victim's browser in order to serve the correct fake update page.[4] | |
| Enterprise | T1082 | System Information Discovery | SocGholish has the ability to enumerate system information including the victim computer name.[2][3][4] | |
| Enterprise | T1614 | System Location Discovery | SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.[4] | |
| Enterprise | T1016 | System Network Configuration Discovery | SocGholish has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.[2][3][4] | |
| Enterprise | T1033 | System Owner/User Discovery | SocGholish can use | |
| Enterprise | T1204 | .001 | User Execution:Malicious Link | SocGholish has lured victims into interacting with malicious links on compromised websites for execution.[2] |
| Enterprise | T1102 | Web Service | SocGholish has used Amazon Web Services to host second-stage servers.[1] | |
| Enterprise | T1047 | Windows Management Instrumentation | SocGholish has used WMI calls for script execution and system profiling.[2] | |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1020 | Mustard Tempest |
References
- Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
- Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
- Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.