SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2022. We observed a spike in activity in February 2022 (about triple the normal volume), and for the rest of the year SocGholish maintained a relatively stable background volume, typically affecting about 0.5 percent of Red Canary-monitored environments each month.
Do you С what I C?
In 2022, SocGholish began experimenting with changes to their ZIP filenames, perhaps in an attempt to evade detection based on filename patterns. During the middle of the year, SocGholish began incorporating homoglyphs (“lookalike” characters) to replace certain characters in filenames. For example, instead of the typical filename Chrome.Update.zip, SocGholish would replace the letters C and a with their UTF-8 Cyrillic look-alike characters С (0xd0a1) and а (0xd0b0), to produce the filename Сhrome.Updаte.zip.
A bat signal for Raspberry Robin?
In 2022, Red Canary observed a second-stage payload in about one in 10 SocGholish incidents. About half the time, that payload was NetSupport, and the other half of the time, the payload was Blister with an embedded Cobalt Strike payload. Within seconds of deploying an additional payload, we typically observed several post-exploitation reconnaissance behaviors often associated with pre-ransomware activity. SocGholish intrusions have led to various ransomware families in the past, including Lockbit in 2022.
The majority of SocGholish infections we’ve detected did not result in a second-stage payload, sometimes due to existing mitigations or rapid response to isolate the host. In most cases, we observed reconnaissance activity that only identified the infected endpoint and user. In some cases, Active Directory and domain enumeration followed user discovery. Both of these can be a precursor to lateral movement, but in observed intrusions, the hosts were isolated before any lateral movement activity could begin.
Windows Script Host spawned from a browser and making external network connections
parent_process == [a browser]
process == wscript.exe
Script files conducting reconnaissance with whoami and writing the output to a file
SocGholish employs several scripted reconnaissance commands. While much of this activity occurs in memory, one that stands out is the execution of whoami with the output redirected to a local temp file with the naming convention rad<5-hex-chars>.tmp.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.