I. Targeted Entities
- Fortune 500 Companies
- Government Agencies
II. Introduction
According to The Multi-State Information Sharing and Analysis Center’s (MS-ISAC) monitoring services, SocGholish has retained its position as the most prevalent malware in Q3 2024, accounting for 42% of observed infections. SocGholish is a JavaScript-based downloader that spreads primarily through malicious or compromised websites that present fake browser update prompts to users. Once deployed, SocGholish infections can facilitate further exploitation by delivering additional malicious payloads.
III. Additional Background Information
SocGholish, also known as “FakeUpdates,” has emerged as the leading malware in Q3 2024. This malware has been active since 2018 and operates as a JavaScript-based downloader that exploits drive-by-download techniques to gain initial access. SocGholish primarily spreads through compromised websites, which present fake browser or software update prompts to unsuspecting users. When users download and run the updates, they execute a malicious payload that establishes communication with SocGholish’s command-and-control (C2) infrastructure.
The malware typically delivers its payload via direct download of JavaScript files or, less frequently, within obfuscated ZIP archives to evade detection. The attackers have continued to adapt, using techniques such as homoglyphs in filenames to bypass string-based detection methods. Once deployed, SocGholish conducts reconnaissance on infected systems, identifying users, endpoints, and potentially critical assets such as Active Directory domains. In about 10% of cases, the malware escalates to delivering second-stage payloads, including remote access tools (RATs) like Mythic, replacing previously popular choices like NetSupport.
SocGholish serves as an initial access broker, facilitating further exploitation by delivering additional malware, including ransomware variants such as LockBit and WastedLocker. Its activities are often precursors to larger attacks, making it a critical threat to monitor. Infections may involve domain trust enumeration and script-based data exfiltration, primarily executed in memory, complicating detection efforts. Organizations are advised to implement preventive measures, such as disabling automatic JavaScript execution, monitoring for unusual script activity, and swiftly isolating infected hosts to mitigate the impact of potential intrusions.
IV. MITRE ATT&CK
- T1059.007 – Command and Scripting Interpreter: JavaScript
SocGholish payload is executed as JavaScript, aiding in bypassing executable-based detections. - T1074.001 – Data Staged: Local Data Staging
Sends output from whoami to a local temp file (e.g., rad<5-hex-chars>.tmp) for staging prior to exfiltration. - T1482 – Domain Trust Discovery
Profiles compromised systems to identify domain trust relationships for lateral movement. - T1189 – Drive-by Compromise
Distributed through compromised websites with fake update prompts, using drive-by-download techniques. - T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltrates data via HTTP directly to the C2 domain to avoid encrypted channels. - T1105 – Ingress Tool Transfer
Downloads additional malware to infected hosts to deepen compromise and persistence. - T1036.005 – Masquerading: Match Legitimate Name or Location
Disguises itself as legitimate files like AutoUpdater.js to mimic real software updates. - T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File
Uses ZIP compression and Base-64 encoding to obfuscate JavaScript payloads and URLs. - T1566.002 – Phishing: Spearphishing Link
Distributed via spear-phishing emails with links leading to compromised websites. - T1057 – Process Discovery
Lists processes on targeted hosts to understand the environment. - T1518 – Software Discovery
Identifies the victim’s browser to deliver the appropriate fake update page. - T1082 – System Information Discovery
Collects system details, such as computer name, for context-specific targeting. - T1614 – System Location Discovery
Uses IP-based geolocation to focus infections on North America, Europe, and parts of the Asia-Pacific region. - T1016 – System Network Configuration Discovery
Enumerates domain name and Active Directory membership for potential privilege escalation. - T1033 – System Owner/User Discovery
Uses whoami to obtain username information from compromised hosts. - T1204.001 – User Execution: Malicious Link
Lures users into interacting with malicious links on compromised websites, triggering the malware. - T1102 – Web Service
Uses Amazon Web Services to host second-stage servers, leveraging legitimate infrastructure. - T1047 – Windows Management Instrumentation (WMI)
Employs WMI for script execution and system profiling to gather information stealthily.
V. Immediate Recommendations
- Endpoint Detection and Response – Deploy EDR solutions to monitor and detect unusual behavior indicative of SocGholish activity, such as unexpected script execution or unauthorized C2 communications.
- Restrict JavaScript Execution – Disable the execution of JavaScript on websites which are untrusted.
- Regular Vulnerability Patching – Patch browsers, plugins, and other software regularly to reduce the risk of drive-by-download attacks.
- Browser Hardening – Enforce browser settings to block pop-ups and auto-downloads from untrusted sources.
- Anomalous Traffic Detection – Use network monitoring tools to detect and alert on unusual HTTP traffic patterns that may indicate SocGholish communication.
- User Awareness Training – Regularly train employees on the risks of fake browser update prompts and how to identify phishing attempts.
- Incident Response Plan (IRP) – Develop and test an incident response plan specifically addressing SocGholish-related threats, ensuring it includes steps for rapid isolation and containment.
VI. IOCs (Indicators of Compromise)
| Type | Indicator |
|---|---|
| IP |
83[.]69[.]236[.]128 |
| IP |
88[.]119[.]169[.]108 |
| IP |
91[.]121[.]240[.]104 |
| IP | 185[.]158[.]251[.]240 |
| IP | 185[.]196[.]9[.]156 |
| IP | 193[.]233[.]140[.]136 |
| IP | 31.184.254[.]115 |
| Domain | aitcaid[.]com |
| Domain | 0qsc137p[@]justdefinition.com |
| Domain | advancedsportsandspine[.]com |
| Domain | automotivemuseumguide[.]com |
| Domain | brow-ser-update[.]top |
| Domain | circle[.]innovativecsportal[.]com |
| Domain | marvin-occentus[.]net |
| Domain | photoshop-adobe[.]shop |
| Domain | pluralism[.]themancav[.]com |
| Domain | scada.paradizeconstruction[.]com |
| Domain | storefixturesandsupplies[.]com |
| Domain | 1sale[.]com |
| Domain | taxes.rpacx[.]com |
| Domain | *.signing.unitynotarypublic[.]com |
| Domain | *.asset.tradingvein[.]xyz |
| Domain | Column 2 Value 23 |
| Domain | change-land[.]com |
VI. Additional OSINT Information
SocGholish operates as a JavaScript-based malware loader that initially infects victims through compromised websites, presenting them with fake browser or software update prompts. Once users click to “update,” the malware executes a JavaScript payload, connecting back to the attacker’s command and control (C2) server to deliver additional payloads.
Image 1 of SocGholish Payload Delivery
Image 2 of SocGholish Payload Delivery
Image 3 of SocGholish Payload Delivery via Fake Google Alerts
Payload details:
- Primary Payload: The initial JavaScript script collects system and user information, which it sends back to the C2 server, enabling the attacker to assess the target for further exploitation. This reconnaissance phase helps the malware operators determine the value of the target and the appropriate secondary payloads to deploy.
- Secondary Payloads: SocGholish is known to deploy additional malware based on the information gathered. Historically, it used the NetSupport RAT for remote access but has evolved to favor other tools. Since 2022, SocGholish shifted its preference to more advanced payloads, including:
- Cobalt Strike: This well-known post-exploitation tool allows attackers to conduct further reconnaissance, privilege escalation, and lateral movement within networks. However, recent reports show a transition to using Mythic, an alternative to Cobalt Strike.
- Mythic: A versatile open-source command and control framework used for post-compromise operations, allowing attackers to load additional modules and control infected systems stealthily.
- Reconnaissance and Lateral Movement: The secondary payload often includes commands for system discovery and Active Directory enumeration. Common tools used in this phase include nltest.exe for domain trust discovery and whoami for privilege reconnaissance.
- Ransomware Associations: SocGholish has acted as an initial access broker, facilitating access for ransomware groups such as LockBit and WastedLocker. This handoff process enables ransomware operators to capitalize on SocGholish’s infiltration to execute ransom demands or further network disruption.
By delivering these targeted payloads, SocGholish operators can gain persistent access, conduct extensive reconnaissance, and potentially disrupt critical systems. These payloads make SocGholish not only a potent malware threat but also a significant enabler of larger ransomware and espionage campaigns across various industries.
VII. References
The Center for Internet Security, Inc (October 23, 2024) Top 10 Malware Q3 2024 https://www.cisecurity.org/insights/blog/top-10-malware-q3-2024
Red Canary (2024) SocGholish https://redcanary.com/threat-detection-report/threats/socgholish/
MITRE ATT&CK (March 22, 2024) SocGholish https://attack.mitre.org/software/S1124/
Blackpoint Cyber (June 21, 2024) AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion https://blackpointcyber.com/resources/blog/asyncrat-netsupportrat-vssadmin-abuse-for-shadow-copy-deletion-soc-incidents-blackpoint-apg/
Proofpoint (November 22, 2022) Part 1: SocGholish, a very real threat from a very fake update https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
ReliaQuest (January 30, 2023) SocGholish: A Tale of FakeUpdates https://www.reliaquest.com/blog/socgholish-fakeupdates/
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker.