Threat Sounds
Contrary to what the lead singer of Train might tell you, that sketchy software update is in fact a SocGholish drive-by download.
Analysis
SocGholish is an initial access threat that leverages drive-by-downloads masquerading as software updates. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp (also known as Indrik Spider). Red Canary encountered SocGholish in a wide variety of industry verticals in 2021. These drive-by-downloads placed SocGholish inside the top five most prevalent threats we track. This ranking was fueled by an increasing number of detections as the year went on, culminating in SocGholish peaking as the most prevalent threat we encountered in December.
A SocGholish drive-by-download occurs when an unsuspecting user visits a compromised website and downloads a malicious ZIP file. In one incident described by Expel earlier this year, adversaries compromised an organization’s site that was running a vulnerable version of WordPress. Employee endpoints were then infected with drive-by-downloads of SocGholish directly from the company’s own website. SocGholish relies on social engineering to gain execution, tricking unsuspecting users into running a malicious JavaScript payload stored within a downloaded ZIP file. These files typically masquerade as browser updates, though other lures include Adobe Flash or Microsoft Teams. Once executed, the JavaScript payload connects back to SocGholish infrastructure, where it shares details about the infected host and can retrieve additional malware.
In 2021, Red Canary observed NetSupport RAT and BLISTER malware delivered by SocGholish. In the past, we have seen SocGholish deploy a Cobalt Strike payload that led to WastedLocker ransomware. The connection between SocGholish and BLISTER is notable, as this malware loader was only identified by Elastic in late December 2021. Following BLISTER deployment in an environment initially compromised with SocGholish, we detected several post-exploitation reconnaissance behaviors on the affected endpoint.
The majority of SocGholish infections we’ve detected did not result in a second-stage payload, sometimes due to existing mitigations or rapid response to isolate the host. In most cases, we observed reconnaissance activity that only identified the infected endpoint and user. In some cases, Active Directory and domain enumeration followed user discovery. Both of these can be a precursor to lateral movement, however, the hosts were isolated before any lateral movement activity could begin. Much of the reconnaissance conducted by the malicious JavaScript file happens in memory, with data being exfiltrated directly via POST commands to the C2 domain. One good source of insight into this behavior comes from collecting script load content, if such telemetry is available from your endpoint detection and response (EDR) sensor. Collecting this data provides key insight into the specific commands executed and data exfiltrated.
Detection opportunities
JavaScript executing from a ZIP file and making external network connections
Executing script contents from within a ZIP file is unusual, especially when that script is making external network connections. This detection analytic regularly identifies the initial execution and network connections from a SocGholish JavaScript payload extracted from a ZIP file.
process == wscript.exe
&&
command_line_includes ('.zip' && '.js')
&&
has_external_netconn
Script files conducting reconnaissance with whoami
and writing the output to a file
SocGholish employs several scripted reconnaissance commands. While much of this activity occurs in memory, one that stands out is the execution of whoami
with the output redirected to a local temp file with the naming convention rad<5-hex-chars>.tmp
.
parent_process == wscript.exe
&&
process == cmd.exe
&&
command_line_includes ('whoami /all >>')
Enumerating domain trusts activity with nltest.exe
Left unchecked, SocGholish may lead to domain discovery. This type of behavior is often a precursor to ransomware activity, and should be quickly quelled to prevent further progression of the threat.
process == nltest.exe
&&
command_line_includes ('/domain_trusts' || '/all_trusts')