Scarlet Goldfinch
Closely mimicking SocGholish, this fake update variant propelled its primary payload, NetSupport Manager, into prominence as well.
#3
Overall Rank
3.4%
Customers Affected
Scarlet Goldfinch is Red Canary’s name for a fake browser update activity cluster, similar to SocGholish, that first emerged in June 2023. One of several emerging threats in mid-2023 that followed SocGholish’s fake update footsteps, Scarlet Goldfinch is tracked by other researchers under several different names, including SmartApeSG (due to early observations of C2 infrastructure hosted on SmartApe ASN) and ZPHP (due to the use of PHP files to host C2 payloads).
Like SocGholish, Scarlet Goldfinch leverages compromised websites to present unsuspecting visitors with a notification that they need to update their browser. Those who take the bait will download a malicious JavaScript (JS) file that typically attempts to install NetSupport Manager, providing persistent remote access to the adversary.
Scarlet Goldfinch leverages web injects on compromised legitimate websites to redirect users to their fake update download sites. This approach leads to a somewhat diverse and indiscriminate pool of victims, and we have not observed any patterns in targeting by Scarlet Goldfinch. Left unchecked, we have observed additional follow-on payloads delivered after NetSupport, such as LummaC2.
At a high level, Scarlet Goldfinch’s objectives have remained consistent from when we first observed it in mid-2023. The use of fake update lures to entice a user to run a malicious JS dropper to download and install NetSupport has remained consistent. However, at the procedure level, Scarlet Goldfinch demonstrated several changes throughout 2024, indicating ongoing active development.
Scarlet Goldfinch tricks users into downloading a malicious JavaScript file that typically attempts to install NetSupport Manager, providing persistent remote access to the adversary.
Tracking changes in lure names
Ditching PowerShell
While these changes in lure names indicate continued minor tinkering with Scarlet Goldfinch, the biggest change we observed showed up in mid-November 2024. For about 15 months prior to that, Scarlet Goldfinch had used PowerShell code as the second-stage downloader to deploy NetSupport onto the system. Spawned by the wscript process, PowerShell would reach out to a C2 domain to pull down a ZIP file containing the NetSupport client32.exe binary, unzip the contents to a folder in %AppData%, execute it, and modify the CurrentVersion\Run key in the Windows registry to establish logon persistence. This PowerShell code saw minor changes over time, similar to the filename lures, adding increased obfuscation through variables and modifying the installation folder and run key names. But the basic functionality remained unchanged.
Then, in November 2024, the PowerShell component disappeared from the infection chain. Instead, the adversaries beefed up the code in the JS file. The tactics and higher-level techniques remained the same–pull down a ZIP containing NetSupport, write it to a folder, and establish run key persistence–but the procedures for doing this now existed entirely within the initial JavaScript dropper. While this change not only represents active code development, it also impacts detection strategies.
But as often happens, when one door closes another one opens. Scarlet Goldfinch no longer triggers the subset of PowerShell detection logic it once did, but we’re now seeing new activity from some of our other detection logic.
One of the best ways to mitigate risks associated with Scarlet Goldfinch–as well as SocGholish, Gootloader, and other threats that begin with malicious JavaScript files–is to change the default behavior in Windows to open JS files with notepad or another editor rather than immediately executing them. Details on implementing this control via Group Policy Objects (GPO) are available in our May 2024 blog Open with Notepad: Protecting users from malicious JavaScript.
Script execution from Explorer’s built-in ZIP function
This pseudo-detection analytic looks for WScript executing JavaScript files in the temp folder and app data, a tell-tale sign of mischief.
parent_process == (explorer.exe)
&&
process == (wscript.exe)
&&
command_line_includes ( users || temp) && (.zip || .js)
&&
has_netconn
You can test detection capabilities by modifying and executing tests for T1059.007 using Atomic Red Team, particularly Atomic Test #2 – JScript execution to gather local computer information via wscript. The tests will need customization using script paths that match those of Scarlet Goldfinch scripts.
Security gaps? We got you.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.