UDTSecure SocGholish Malware Technical Security Alert

SocGholish has currently infected thousands of US businesses, government, academic, non-profit, and healthcare organizations, resulting in subsequent ransomware events with losses ranging between $1 million and $40 million per incident.

Technical Security Alert 032822001

Industries Affected:

Financial Services
Government Facilities

Risk Rating: HIGH

SUMMARY

SocGholish (aka FakeUpdates) is a JavaScript-based malware that masquerades as a legitimate browser update delivered to victims via compromised websites. SocGholish establishes an initial foothold onto victim networks that threat actors use for further targeting with ransomware. Since 2020, the SocGholish malware is believed to be the most common initial intrusion vector across multiple variants of ransomware suspected to be operated by subjects associated with the Evil Corp cybercriminal organization, including BitPaymer, WastedLocker, Hades, Phoenix, PayloadBIN, and Macaw Locker.

TECHNICAL DETAILS

SocGholish is delivered via compromised websites injected with JavaScript that redirects visitors to a series of malicious websites hosting SocGholish payloads. There are typically three stages to a SocGholish incident, with multiple browser redirects and obfuscated code used throughout to evade anti-virus detections.

The initial stage, SocGholish collects victim browser information upon visiting a compromised website. The malware initiates a series of HTTP redirects before prompting the victim to download a software update for their web browser.

The second stage executes if the victim downloads the fake browser update, upon which a zipped JavaScript malware payload is delivered and triggered with wscript.exe. The malware collects additional information via whoami and netuser/netgroup commands, as well as PowerShell scripts, and communicates the information back to a command and control (C2) server.

The final stage typically involves the delivery of a “Cobalt Strike Beacon” payload used by threat actors for further network reconnaissance and lateral movement that ultimately leads to ransomware deployment.

SocGholish C2 domains rotate regularly and often use hijacked subdomains of legitimate websites that can blend in with seemingly normal network traffic. Potential SocGholish C2 activity can be identified with the following domain patterns observed during various investigations:

[8 random hex characters].subdomain.domain.topleveldomain

INDICATORS OF COMPROMISE

Known IP Addresses

79.110.52.138

79.110.52.140

179.43.169.31

File Names and Hashes

c495cfee1981974cf76d07193a3c6b6e45b04fff

033812cbd4ff548c14715078f8777777bf61f26d

10459c6ac3e90b1881aaea002cbeccfc56db51f1

3b1b5907f2781506f9561cd1f520ba8fcf18b462

a40e93621562911c5b68e959cc228de85c131a70

4c15f6373f626ec3805a5a80403541252236ae4a

f870379f1993228547acc5446085205ec7e4b04a

10459c6ac3e90b1881aaea002cbeccfc56db51f1

a40e93621562911c5b68e959cc228de85c131a70

d1bf6b1f8dad5da49556510c996192652400467e

10a13cb164d4ccfe573cf23555071c42ffeb40cd

bc1b4ae7a6171561aba09636c139719c8c358c78

854ece5389ca85cd7616befd27f8d4e0aa38ac38

7c8e4f2f79df91f0f929b0447c321eea2ad861c1

048a7b85d7a3c17781f2fa420a9e5e392b705c20

0fad03d96658c952382a074e5f7b305b6b132eaf

3340061cea2a8eb1116285a8284a80b3752f6148

cecd2af742ea6b06371b7b9961bc8fc6ab428dd0

8aa898ccae9a06f0d5e488a489b6b54a747be83c

9c57ee8be0d48d60ed46900e532ffb2ad43d89dd

3b64b2a97310a7bfcb9ce7abce3585a84b89c618

76e82eb8841a2afa435be65e9fed6e19f961508e

3a4848828e8e9f67da67ab8cbba5159fcdec1ef5

a738db6d900d34f651c0de322176bc2bca484288

6f7e9a1997113f840e075b84d31da03d8cd3fd9c

a733fb551022b82994191f8a1e052ca82656f205

f3e57b1d3e22c01ed5e060356df7f7e9707dba6d

e4e52cc23852243bc79536ae1b175f49ee8193ab

ec37bb517261285fb24df21e82963a878fdd009e

c25efbda7435671ea52c64630f3782c908599eb8

0ac2f3b75f5918d7e807e55b954ac0ef9998679a

582aa29e188a604d1a49fde0d9740f403fe9de93

f7533d2307b9bf449ea83ba48f58940217158251

a102e5be89558352cf29f27e011042f508d59b8f

e2825d27aabd7b2e4c011713bb65bbfd089c62dd

d69c336619e5de591270adbff395c969716b355c

505b375befa7e636679a6e97228e656b7144acbc

3246b0987e14f28970c23fe4104ffb26e017c1dd

01b71bd417c2d6b9900ba8028d7659cf67275d99

ff13f5e89c51b0b9af963d080ef0899c7a169080

8ea2e0d7b2eed28e0545fc517c5f9dd191354d93

5228c1e9a24dc8afc0134639e033867ae993a27a

2bbaaa4545e52824083cad51385f19a88ad2a9bd

c44858db442ccd3363613778c3dfdc491c3926e7

1cd433f3b9957efa2de55fd644ce9f4abd02ec24

a53f6c33ef607d583265a54289ee59682a152a0f

Domains

C2 pattern — [8 random hex characters].subdomain.domain.topleveldomain

*.edge.wholesalerandy.com

*.news.pocketstay.com

*.auth.codingbit.co.in

*.nodes.fioressence.com

*.push.youbyashboutique.com

*.click.clickanalytics208.com

*.green.mattingsolutions.co

*.login.lilscrambler.com

*.notify.aproposaussies.com

*.login.nuwealthmedia.com

*.jobs.tracybrey.com

*.second.pmservicespr.com

*.popcorn.net-zerodesign.com

*.minion.maxxcorp.net

*.news.nuwealthmedia.com

MITIGATIONS

Implement regular backups of Maintain backups offline, and ensure the data is encrypted and immutable.
Confirm that the Native Domain Admin account “Administrator” has a strong password and is in “Disabled” status. This account should not be used for day to day activities and should be placed under the protected group AD Group.
Store copies of data offline using multi-factor authentication with strong password
Disable command-line and scripting activities and
Install and regularly update antivirus software with real-time
Implement network segmentation to prevent accessibility across multiple machines on the network.
Keep computers, devices and applications patched and up to Prioritize patching known exploited vulnerabilities.
Safeguard the network by enacting administrative privileges and configuring access controls with the least privilege in mind.
Consider adding an email banner to emails received outside of your
Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
Disable hyperlinks in received
Use double authentication when logging into accounts or
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool.
Use Admin Disabling Tools to support identity and privileged access
Implement time-based access for accounts set at the admin-level and.

RELATED UDTSECURE SERVICES

The following UDTSecure Cyber Security Services can help clients test and mitigate for this important vulnerability with the following services:

UDTSecure AD Threat & Compromise Assessment
UDTSecure Vulnerability Security Assessment and Patch Management as a Service
UDTSecure Managed Threat Hunting Service
UDTSecure Compromise Assessment
UDT Professional Services to help with all your mitigation needs.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

K12 Budgeting: Planning Your 1:1 Device Refresh Program Cost

As K12 education evolves, managing 1:1 device programs effectively is crucial. These programs, providing each student with a personal computing device, play a pivotal role in modern education. Success demands strategic planning, communication, foresight, and a holistic approach to device management. With digital learning on the rise, these devices are more than just tools for accessing information; they are platforms for interactive, core learning experiences. However, funding remains a significant hurdle, making effective budgeting for your device refresh program essential for optimizing ROI and device longevity.

Crafting a Futureproof 1:1 Device Strategy for School Districts

In the evolving landscape of Education Technology, crafting a futureproof 1:1 device strategy is crucial. This strategy should link every student, teacher, and administrator experience with specific device specifications. The integration of educational apps into the curriculum can significantly enhance the learning environment. These apps, tailored to the needs of students, can provide interactive content, fostering a dynamic learning experience.

Optimizing Your K12 Tech Investments: Funding 1:1 Device Programs

This blog will guide school districts grappling with the financial and resource demands of implementing a successful 1:1 device program amid ongoing challenges of budget constraints and competing priorities. Our guided workbook, created in partnership with Intel, provides further support with personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

K12 Cybersecurity: How to Secure 1:1 Devices in Your School District

This blog post delves into the importance of security, cybersecurity, and data privacy in school districts implementing 1:1 device initiatives. It offers basic steps for evaluating, planning, and executing a security strategy. Our guided workbook, created in partnership with Intel, provides a personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

Lost & Stolen Devices are a Serious Data Security Threat—Here’s Why

Since the pandemic, remote and hybrid work has become the norm. While mobile devices and remote workstations have empowered great flexibility, it has also led to an increase in data security problems due to lost, misplaced, or stolen devices. Find out how remote and hybrid setups are contributing to this problem and how to protect yourself and your organization.

Ransomware Gangs Adding Pressure with ‘Swatting’ Attacks—Here’s What You Need to Know

Ransomware gangs are implementing new extortion tactics to encourage victims to pay up. Swatting is becoming an increasingly popular tactic. It involves calling law enforcement to falsely report a serious, in-progress crime triggering an extreme response such as an armed raid from the SWAT team. Explore how cybercriminals are using this tactic and what you can do to prevent it from happening to you.