SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]
Associated Software Descriptions
| Name | Description |
|---|---|
| FakeUpdates |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
SocGholish has used WMI calls for script execution and system profiling.[2] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
SocGholish has been named |
| Enterprise | T1059 | .007 | 命令与脚本解释器: JavaScript |
The SocGholish payload is executed as JavaScript.[2][1][3][4] |
| Enterprise | T1482 | 域信任发现 |
SocGholish can profile compromised systems to identify domain trust relationships.[2][3] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
SocGholish can send output from |
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
SocGholish can exfiltrate data directly to its C2 domain via HTTP.[3] |
| Enterprise | T1189 | 浏览器攻击 |
SocGholish has been distributed through compromised websites with malicious content often masquerading as browser updates.[2] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.[3][4] SocGholish has also single or double Base-64 encoded references to its second-stage server URLs.[1] |
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
SocGholish has lured victims into interacting with malicious links on compromised websites for execution.[2] |
| Enterprise | T1614 | 系统位置发现 |
SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.[4] |
|
| Enterprise | T1082 | 系统信息发现 |
SocGholish has the ability to enumerate system information including the victim computer name.[2][3][4] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
SocGholish can use |
|
| Enterprise | T1016 | 系统网络配置发现 |
SocGholish has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.[2][3][4] |
|
| Enterprise | T1102 | 网络服务 |
SocGholish has used Amazon Web Services to host second-stage servers.[1] |
|
| Enterprise | T1518 | 软件发现 |
SocGholish can identify the victim's browser in order to serve the correct fake update page.[4] |
|
| Enterprise | T1105 | 输入工具传输 |
SocGholish can download additional malware to infected hosts.[3][4] |
|
| Enterprise | T1057 | 进程发现 |
SocGholish can list processes on targeted hosts.[4] |
|
| Enterprise | T1566 | .002 | 钓鱼: Spearphishing Link |
SocGholish has been spread via emails containing malicious links.[2] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1020 | Mustard Tempest |
References
- Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
- Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
- Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.