Threat
SocGholish
SocGholish leverages drive-by-downloads masquerading as software updates to trick visitors of compromised websites into executing malware.
Pairs with this song #6
OVERALL RANK
4.3%
CUSTOMERS AFFECTED
Threat Sounds
This malware family leverages drive-by downloads to trick users into executing malicious JavaScript ‘n’ stuff.
Analysis
SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2022. We observed a spike in activity in February 2022 (about triple the normal volume), and for the rest of the year SocGholish maintained a relatively stable background volume, typically affecting about 0.5 percent of Red Canary-monitored environments each month.
SocGholish commonly gains initial access when an unsuspecting user visits a compromised website and downloads a malicious file. SocGholish then relies on social engineering to gain execution, tricking unsuspecting users into running a malicious JavaScript payload. Historically this JavaScript file was delivered within a ZIP file masquerading as a browser update, though other lures have posed as updates to Adobe Flash or Microsoft Teams.
Do you С what I C?
In 2022, SocGholish began experimenting with changes to their ZIP filenames, perhaps in an attempt to evade detection based on filename patterns. During the middle of the year, SocGholish began incorporating homoglyphs (“lookalike” characters) to replace certain characters in filenames. For example, instead of the typical filename Chrome.Update.zip, SocGholish would replace the letters C and a with their UTF-8 Cyrillic look-alike characters С (0xd0a1) and а (0xd0b0), to produce the filename Сhrome.Updаte.zip.
While nearly identical in appearance to the human eye, to a computer comparing strings these two file names do not match. From August through November, we observed SocGholish regularly changing up these filename lures, swapping out different characters in different campaigns. By December, they seemed to have given up on the homoglyph ruse and the ZIP file altogether. Since early December 2022, and continuing into 2023, we have observed SocGholish lures directly delivering an update-themed JavaScript file.
A bat signal for Raspberry Robin?
Around the same mid-2022 timeframe as the homoglyph hijinks, SocGholish pushed out another initial access twist. In addition to the typical drive-by download lures, Red Canary and other researchers observed SocGholish JavaScript files being delivered as a follow-on payload to Raspberry Robin infections. Like the homoglyph change, this was a relatively short-lived campaign. However, it introduces an interesting connection between the operators of these previously unlinked threats that remains an intelligence gap that could use additional clarity.
Secondary payloads
Regardless of how it is delivered, upon execution the JavaScript payload connects back to SocGholish infrastructure, where it shares details about the infected host and can retrieve additional malware.
In 2022, Red Canary observed a second-stage payload in about one in 10 SocGholish incidents. About half the time, that payload was NetSupport, and the other half of the time, the payload was Blister with an embedded Cobalt Strike payload. Within seconds of deploying an additional payload, we typically observed several post-exploitation reconnaissance behaviors often associated with pre-ransomware activity. SocGholish intrusions have led to various ransomware families in the past, including Lockbit in 2022.
The majority of SocGholish infections we’ve detected did not result in a second-stage payload, sometimes due to existing mitigations or rapid response to isolate the host. In most cases, we observed reconnaissance activity that only identified the infected endpoint and user. In some cases, Active Directory and domain enumeration followed user discovery. Both of these can be a precursor to lateral movement, but in observed intrusions, the hosts were isolated before any lateral movement activity could begin.
take action
Much of the reconnaissance conducted by the malicious SocGholish JavaScript file happens in memory, with data being exfiltrated directly via POST commands to the C2 domain. One good source of insight into this behavior comes from collecting script load content, if such telemetry is available from your endpoint detection and response (EDR) sensor. Collecting this data provides key insight into the specific commands executed and data exfiltrated.
To mitigate risks associated with the malicious JavaScript files used by SocGholish operators, we recommend preventing automatic execution of JavaScript files. You can do this by changing the default file associations for .js and .jse files. To remove SocGholish components, stop any malicious instances of wscript.exe. Remove any malicious scheduled tasks for the victim user to remediate persistence on the host. If any payloads were stored within the Windows Registry or on disk, attempt to remove those payloads for full remediation.
Detection opportunities
Windows Script Host spawned from a browser and making external network connections
While JavaScript is everywhere on the web, it is rather unusual for the browser to download a JavaScript file and execute it via the Windows Script Host (wscript.exe). When this downloaded script starts communicating with devices outside of your network, things get even more suspicious. That said, this detection analytic may be noisy in some environments, so be prepared to identify what scripts are normally run in this way to tune out the noise.
parent_process == [a browser]
&&
process == wscript.exe
&&
has_external_netconnScript files conducting reconnaissance with whoami and writing the output to a file
SocGholish employs several scripted reconnaissance commands. While much of this activity occurs in memory, one that stands out is the execution of whoami with the output redirected to a local temp file with the naming convention rad<5-hex-chars>.tmp.
parent_process == wscript.exe
&&
process == cmd.exe
&&
command_includes ('whoami /all >>')Enumerating domain trust relationships with nltest.exe
Left unchecked, SocGholish may lead to domain discovery. This type of behavior is often a precursor to ransomware activity, and should be quickly quelled to prevent further progression of the threat.
process == nltest.exe
&&
command_includes ('/domain_trusts' || '/all_trusts')
Testing
To emulate SocGholish, try wrapping atomic test #2 for T1059.007—which leverages wscript to gather local computer information using JavaScript—in a ZIP file or launching it from your browser.