SocGholish leverages drive-by-downloads masquerading as software updates to trick visitors of compromised websites into executing malware.Pairs with this song
SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2022. We observed a spike in activity in February 2022 (about triple the normal volume), and for the rest of the year SocGholish maintained a relatively stable background volume, typically affecting about 0.5 percent of Red Canary-monitored environments each month.
Do you С what I C?
In 2022, SocGholish began experimenting with changes to their ZIP filenames, perhaps in an attempt to evade detection based on filename patterns. During the middle of the year, SocGholish began incorporating homoglyphs (“lookalike” characters) to replace certain characters in filenames. For example, instead of the typical filename
Chrome.Update.zip, SocGholish would replace the letters
a with their UTF-8 Cyrillic look-alike characters
С (0xd0a1) and
а (0xd0b0), to produce the filename
A bat signal for Raspberry Robin?
In 2022, Red Canary observed a second-stage payload in about one in 10 SocGholish incidents. About half the time, that payload was NetSupport, and the other half of the time, the payload was Blister with an embedded Cobalt Strike payload. Within seconds of deploying an additional payload, we typically observed several post-exploitation reconnaissance behaviors often associated with pre-ransomware activity. SocGholish intrusions have led to various ransomware families in the past, including Lockbit in 2022.
The majority of SocGholish infections we’ve detected did not result in a second-stage payload, sometimes due to existing mitigations or rapid response to isolate the host. In most cases, we observed reconnaissance activity that only identified the infected endpoint and user. In some cases, Active Directory and domain enumeration followed user discovery. Both of these can be a precursor to lateral movement, but in observed intrusions, the hosts were isolated before any lateral movement activity could begin.
.jse files. To remove SocGholish components, stop any malicious instances of
wscript.exe. Remove any malicious scheduled tasks for the victim user to remediate persistence on the host. If any payloads were stored within the Windows Registry or on disk, attempt to remove those payloads for full remediation.
Windows Script Host spawned from a browser and making external network connections
wscript.exe). When this downloaded script starts communicating with devices outside of your network, things get even more suspicious. That said, this detection analytic may be noisy in some environments, so be prepared to identify what scripts are normally run in this way to tune out the noise.
parent_process == [a browser] && process == wscript.exe && has_external_netconn
Script files conducting reconnaissance with
whoami and writing the output to a file
SocGholish employs several scripted reconnaissance commands. While much of this activity occurs in memory, one that stands out is the execution of
whoami with the output redirected to a local temp file with the naming convention
parent_process == wscript.exe && process == cmd.exe && command_includes ('whoami /all >>')
Enumerating domain trust relationships with
Left unchecked, SocGholish may lead to domain discovery. This type of behavior is often a precursor to ransomware activity, and should be quickly quelled to prevent further progression of the threat.
process == nltest.exe && command_includes ('/domain_trusts' || '/all_trusts')
To emulate SocGholish, try wrapping atomic test #2 for T1059.007—which leverages