SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]
Associated Software Descriptions
| Name | Description |
|---|---|
| FakeUpdates |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
The SocGholish payload is executed as JavaScript.[2][1][3][4] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
SocGholish can send output from |
| Enterprise | T1482 | Domain Trust Discovery |
SocGholish can profile compromised systems to identify domain trust relationships.[2][3] |
|
| Enterprise | T1189 | Drive-by Compromise |
SocGholish has been distributed through compromised websites with malicious content often masquerading as browser updates.[2] |
|
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
SocGholish can exfiltrate data directly to its C2 domain via HTTP.[3] |
| Enterprise | T1105 | Ingress Tool Transfer |
SocGholish can download additional malware to infected hosts.[3][4] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
SocGholish has been named |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.[3][4] SocGholish has also single or double Base-64 encoded references to its second-stage server URLs.[1] |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
SocGholish has been spread via emails containing malicious links.[2] |
| Enterprise | T1057 | Process Discovery |
SocGholish can list processes on targeted hosts.[4] |
|
| Enterprise | T1518 | Software Discovery |
SocGholish can identify the victim's browser in order to serve the correct fake update page.[4] |
|
| Enterprise | T1082 | System Information Discovery |
SocGholish has the ability to enumerate system information including the victim computer name.[2][3][4] |
|
| Enterprise | T1614 | System Location Discovery |
SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.[4] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
SocGholish has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.[2][3][4] |
|
| Enterprise | T1033 | System Owner/User Discovery |
SocGholish can use |
|
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
SocGholish has lured victims into interacting with malicious links on compromised websites for execution.[2] |
| Enterprise | T1102 | Web Service |
SocGholish has used Amazon Web Services to host second-stage servers.[1] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
SocGholish has used WMI calls for script execution and system profiling.[2] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1020 | Mustard Tempest |
References
- Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
- Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
- Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.