S1124 SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.2134
| Item | Value |
|---|---|
| ID | S1124 |
| Associated Names | FakeUpdates |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 March 2024 |
| Last Modified | 06 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| FakeUpdates | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | The SocGholish payload is executed as JavaScript.1234 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | SocGholish can send output from whoami to a local temp file using the naming convention rad<5-hex-chars>.tmp.3 |
| enterprise | T1482 | Domain Trust Discovery | SocGholish can profile compromised systems to identify domain trust relationships.13 |
| enterprise | T1189 | Drive-by Compromise | SocGholish has been distributed through compromised websites with malicious content often masquerading as browser updates.1 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | SocGholish can exfiltrate data directly to its C2 domain via HTTP.3 |
| enterprise | T1105 | Ingress Tool Transfer | SocGholish can download additional malware to infected hosts.34 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | SocGholish has been named AutoUpdater.js to mimic legitimate update files.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | SocGholish has single or double Base-64 encoded references to its second-stage server URLs.2 |
| enterprise | T1027.015 | Compression | The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.34 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | SocGholish has been spread via emails containing malicious links.1 |
| enterprise | T1057 | Process Discovery | SocGholish can list processes on targeted hosts.4 |
| enterprise | T1518 | Software Discovery | SocGholish can identify the victim’s browser in order to serve the correct fake update page.4 |
| enterprise | T1082 | System Information Discovery | SocGholish has the ability to enumerate system information including the victim computer name.134 |
| enterprise | T1614 | System Location Discovery | SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.4 |
| enterprise | T1016 | System Network Configuration Discovery | SocGholish has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.134 |
| enterprise | T1033 | System Owner/User Discovery | SocGholish can use whoami to obtain the username from a compromised host.134 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | SocGholish has lured victims into interacting with malicious links on compromised websites for execution.1 |
| enterprise | T1102 | Web Service | SocGholish has used Amazon Web Services to host second-stage servers.2 |
| enterprise | T1047 | Windows Management Instrumentation | SocGholish has used WMI calls for script execution and system profiling.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1020 | Mustard Tempest | 541 |
References
-
Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024. ↩↩↩↩
-
Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. ↩