UDTSecure SocGholish Malware Technical Security Alert

SocGholish has currently infected thousands of US businesses, government, academic, non-profit, and healthcare organizations, resulting in subsequent ransomware events with losses ranging between $1 million and $40 million per incident.
SocGholish Malware
Facebook
Twitter
LinkedIn

Technical Security Alert 032822001

Industries Affected:

  1. Financial Services
  2. Government Facilities


Risk Rating: HIGH


SUMMARY

SocGholish (aka FakeUpdates) is a JavaScript-based malware that masquerades as a legitimate browser update delivered to victims via compromised websites. SocGholish establishes an initial foothold onto victim networks that threat actors use for further targeting with ransomware. Since 2020, the SocGholish malware is believed to be the most common initial intrusion vector across multiple variants of ransomware suspected to be operated by subjects associated with the Evil Corp cybercriminal organization, including BitPaymer, WastedLocker, Hades, Phoenix, PayloadBIN, and Macaw Locker.

SocGholish has currently infected thousands of US businesses, government, academic, non-profit, and healthcare organizations, resulting in subsequent ransomware events with losses ranging between $1 million and $40 million per incident.


TECHNICAL DETAILS

SocGholish is delivered via compromised websites injected with JavaScript that redirects visitors to a series of malicious websites hosting SocGholish payloads. There are typically three stages to a SocGholish incident, with multiple browser redirects and obfuscated code used throughout to evade anti-virus detections.

The initial stage, SocGholish collects victim browser information upon visiting a compromised website. The malware initiates a series of HTTP redirects before prompting the victim to download a software update for their web browser.

The second stage executes if the victim downloads the fake browser update, upon which a zipped JavaScript malware payload is delivered and triggered with wscript.exe. The malware collects additional information via whoami and netuser/netgroup commands, as well as PowerShell scripts, and communicates the information back to a command and control (C2) server.

The final stage typically involves the delivery of a “Cobalt Strike Beacon” payload used by threat actors for further network reconnaissance and lateral movement that ultimately leads to ransomware deployment.

SocGholish C2 domains rotate regularly and often use hijacked subdomains of legitimate websites that can blend in with seemingly normal network traffic. Potential SocGholish C2 activity can be identified with the following domain patterns observed during various investigations:

[8 random hex characters].subdomain.domain.topleveldomain

 

INDICATORS OF COMPROMISE

Known IP Addresses

79.110.52.138

79.110.52.140

179.43.169.31

 

File Names and Hashes

c495cfee1981974cf76d07193a3c6b6e45b04fff

033812cbd4ff548c14715078f8777777bf61f26d

10459c6ac3e90b1881aaea002cbeccfc56db51f1

3b1b5907f2781506f9561cd1f520ba8fcf18b462

a40e93621562911c5b68e959cc228de85c131a70

4c15f6373f626ec3805a5a80403541252236ae4a

f870379f1993228547acc5446085205ec7e4b04a

10459c6ac3e90b1881aaea002cbeccfc56db51f1

a40e93621562911c5b68e959cc228de85c131a70

d1bf6b1f8dad5da49556510c996192652400467e

10a13cb164d4ccfe573cf23555071c42ffeb40cd

bc1b4ae7a6171561aba09636c139719c8c358c78

854ece5389ca85cd7616befd27f8d4e0aa38ac38

7c8e4f2f79df91f0f929b0447c321eea2ad861c1

048a7b85d7a3c17781f2fa420a9e5e392b705c20

0fad03d96658c952382a074e5f7b305b6b132eaf

3340061cea2a8eb1116285a8284a80b3752f6148

cecd2af742ea6b06371b7b9961bc8fc6ab428dd0

8aa898ccae9a06f0d5e488a489b6b54a747be83c

9c57ee8be0d48d60ed46900e532ffb2ad43d89dd

3b64b2a97310a7bfcb9ce7abce3585a84b89c618

76e82eb8841a2afa435be65e9fed6e19f961508e

3a4848828e8e9f67da67ab8cbba5159fcdec1ef5

a738db6d900d34f651c0de322176bc2bca484288

6f7e9a1997113f840e075b84d31da03d8cd3fd9c

a733fb551022b82994191f8a1e052ca82656f205

f3e57b1d3e22c01ed5e060356df7f7e9707dba6d

e4e52cc23852243bc79536ae1b175f49ee8193ab

ec37bb517261285fb24df21e82963a878fdd009e

c25efbda7435671ea52c64630f3782c908599eb8

0ac2f3b75f5918d7e807e55b954ac0ef9998679a

582aa29e188a604d1a49fde0d9740f403fe9de93

f7533d2307b9bf449ea83ba48f58940217158251

a102e5be89558352cf29f27e011042f508d59b8f

e2825d27aabd7b2e4c011713bb65bbfd089c62dd

d69c336619e5de591270adbff395c969716b355c

505b375befa7e636679a6e97228e656b7144acbc

3246b0987e14f28970c23fe4104ffb26e017c1dd

01b71bd417c2d6b9900ba8028d7659cf67275d99

ff13f5e89c51b0b9af963d080ef0899c7a169080

8ea2e0d7b2eed28e0545fc517c5f9dd191354d93

5228c1e9a24dc8afc0134639e033867ae993a27a

2bbaaa4545e52824083cad51385f19a88ad2a9bd

c44858db442ccd3363613778c3dfdc491c3926e7

1cd433f3b9957efa2de55fd644ce9f4abd02ec24

a53f6c33ef607d583265a54289ee59682a152a0f

 

Domains

C2 pattern — [8 random hex characters].subdomain.domain.topleveldomain

*.edge.wholesalerandy.com

*.news.pocketstay.com

*.auth.codingbit.co.in

*.nodes.fioressence.com

*.push.youbyashboutique.com

*.click.clickanalytics208.com

*.green.mattingsolutions.co

*.login.lilscrambler.com

*.notify.aproposaussies.com

*.login.nuwealthmedia.com

*.jobs.tracybrey.com

*.second.pmservicespr.com

*.popcorn.net-zerodesign.com

*.minion.maxxcorp.net

*.news.nuwealthmedia.com

MITIGATIONS

  • Implement regular backups of Maintain backups offline, and ensure the data is encrypted and immutable.
  • Confirm that the Native Domain Admin account “Administrator” has a strong password and is in “Disabled” status. This account should not be used for day to day activities and should be placed under the protected group AD Group.
  • Store copies of data offline using multi-factor authentication with strong password
  • Disable command-line and scripting activities and
  • Install and regularly update antivirus software with real-time
  • Implement network segmentation to prevent accessibility across multiple machines on the network.
  • Keep computers, devices and applications patched and up to Prioritize patching known exploited vulnerabilities.
  • Safeguard the network by enacting administrative privileges and configuring access controls with the least privilege in mind.
  • Consider adding an email banner to emails received outside of your
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Disable hyperlinks in received
  • Use double authentication when logging into accounts or
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool.
  • Use Admin Disabling Tools to support identity and privileged access
  • Implement time-based access for accounts set at the admin-level and.

 

RELATED UDTSECURE SERVICES

The following UDTSecure Cyber Security Services can help clients test and mitigate for this important vulnerability with the following services:

  • UDTSecure AD Threat & Compromise Assessment
  • UDTSecure Vulnerability Security Assessment and Patch Management as a Service
  • UDTSecure Managed Threat Hunting Service
  • UDTSecure Compromise Assessment
  • UDT Professional Services to help with all your mitigation needs.

Focus time, money, and effort on what really matters

Let’s build success together. 

More to explore

Survive A Cyber Attack

Can Your Business Survive A Cyber Attack?

This article summarizes the board’s recommendations for integrating business and cybersecurity, improving risk management and governance, and updating incident management processes for businesses to build resilience amidst an evolving cyber threat landscape.

Experiencing a security breach?

Get immediate assistance from our security operations center! Take the following recommended actions NOW while we get on the case:

RECOMMENDED IMMEDIATE NEXT ACTIONS

  1. Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level or physically unplug the systems from the wired or wireless network.
  2. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected
  3. Initiate an immediate password reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well.

Just one more step

Please fill out the following form,