Contrary to what the lead singer of Train might tell you, that sketchy software update is in fact a SocGholish drive-by download.
SocGholish is an initial access threat that leverages drive-by-downloads masquerading as software updates. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp (also known as Indrik Spider). Red Canary encountered SocGholish in a wide variety of industry verticals in 2021. These drive-by-downloads placed SocGholish inside the top five most prevalent threats we track. This ranking was fueled by an increasing number of detections as the year went on, culminating in SocGholish peaking as the most prevalent threat we encountered in December.
In 2021, Red Canary observed NetSupport RAT and BLISTER malware delivered by SocGholish. In the past, we have seen SocGholish deploy a Cobalt Strike payload that led to WastedLocker ransomware. The connection between SocGholish and BLISTER is notable, as this malware loader was only identified by Elastic in late December 2021. Following BLISTER deployment in an environment initially compromised with SocGholish, we detected several post-exploitation reconnaissance behaviors on the affected endpoint.
process == wscript.exe
command_line_includes ('.zip' && '.js')
Script files conducting reconnaissance with whoami and writing the output to a file
SocGholish employs several scripted reconnaissance commands. While much of this activity occurs in memory, one that stands out is the execution of whoami with the output redirected to a local temp file with the naming convention rad<5-hex-chars>.tmp.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.