SocGholish and FakeUpdate Evolved Threats in Browser-Based Attacks
Threat Group: TA569 (SocGholish operators)
Threat Type: Malware Delivery via Fake Update Alerts
Exploited Vulnerabilities: Compromised websites with JavaScript injection
Malware Used: SocGholish (FakeUpdate), NetSupport RAT, Raspberry Robin Worm
Threat Score: High (8.5/10) — Effective social engineering with broad targeting and advanced persistence techniques
Last Threat Observation: October 2024
Overview
The SocGholish, or "FakeUpdate," malware is a sophisticated and pervasive threat designed to infiltrate systems through seemingly legitimate update alerts. Delivered via compromised websites, this malware lures users into downloading malicious files disguised as updates for web browsers like Chrome and Firefox. TA569, the threat actor behind this campaign, has refined SocGholish’s evasion techniques, making it difficult to detect and allowing it to deploy additional malicious payloads. In recent activity, SocGholish has also been linked to the Raspberry Robin worm and various other infostealers, aiming at both data theft and network expansion.
Key Details
- Delivery Method: Fake browser update prompts appear on compromised sites, directing users to download malicious JavaScript files within ZIP archives.
- Primary Targets: Windows OS browsers, particularly Chrome, Edge, and Firefox users.
- Functions and Capabilities:
- Remote Access: Through NetSupport RAT, allowing attackers full control over the infected device.
- Data Theft and Network Mapping: Collection of data such as domain trusts, usernames, and system details for further exploitation.
- Persistence Techniques: Scheduled tasks, registry keys, and WMI calls ensure malware remains active across system reboots.
- Payloads: Raspberry Robin worm and additional modules like Lumma stealer, which exfiltrate sensitive data and increase lateral movement in networks.
Attack Vectors
The SocGholish campaign utilizes a multi-stage infection process:
- Initial Access: Users are redirected to malicious fake update pages on compromised sites, where they are tricked into downloading a ZIP archive containing JavaScript.
- Execution and Installation: The JavaScript file is executed via
WScript.exe, triggering a PowerShell command to download the actual malware payload, often the NetSupport RAT. - System Profiling and Persistence: WMI and registry manipulations embed SocGholish deeply into the system, ensuring it survives reboots and logs user information.
- Follow-up Payloads: Recent campaigns have leveraged the Raspberry Robin worm, which infects removable drives to spread within corporate networks, increasing the malware’s reach.
Known Indicators of Compromise (IoCs)
Domains
| arubapalmrealtor[.]com | cuansurga[.]cam | adullamglobal[.]com |
|---|---|---|
| solcongeneral[.]com | deltaldcenter[.]com | vjkillianco[.]com |
| saveourmalta[.]com | 10086623[.]top | tqshoes[.]shop |
| raptwinter[.]shop | bailingla[.]com | milan77burn[.]top |
| y553488469[.]top | sn4k[.]top | vfeevf[.]com |
| oldwetcat[.]com | zza5topk1or1[.]skin | megaarmshop[.]com |
| unsbrtng[.]cfd | ggoryo[.]com | souguru[.]com |
| robotprintmoney[.]com | tratoragricola[.]com | yaseraljazeera[.]com |
| jerescarla[.]com | shaoriffandco[.]com | tecstify[.]com |
| thehyperfocus[.]quest | indoprimitiveart[.]com |
URLs
| hxxps://arubapalmrealtor[.]com/work/original.js | hxxps://arubapalmrealtor[.]com/work/fix.php |
|---|---|
| hxxps://arubapalmrealtor[.]com/work/index.php | hxxps://arubapalmrealtor[.]com/work/das.php |
| hxxps://cuansurga[.]cam/work/original.js | hxxps://cuansurga[.]cam/work/index.php |
| hxxps://cuansurga[.]cam/work/fix.php | hxxps://cuansurga[.]cam/work/das.php |
| hxxps://adullamglobal[.]com/work/fix.php | hxxps://adullamglobal[.]com/work/index.php |
| hxxps://adullamglobal[.]com/work/original.js | hxxps://adullamglobal[.]com/work/das.php |
| hxxps://solcongeneral[.]com/work/fix.php | hxxps://solcongeneral[.]com/work/das.php |
| hxxps://solcongeneral[.]com/work/original.js | hxxps://solcongeneral[.]com/work/index.php |
| hxxps://deltaldcenter[.]com/work/original.js | hxxps://deltaldcenter[.]com/work/index.php |
| hxxps://deltaldcenter[.]com/work/fix.php | hxxps://deltaldcenter[.]com/work/das.php |
| hxxps://vjkillianco[.]com/work/fix.php | hxxps://vjkillianco[.]com/work/das.php |
| hxxps://vjkillianco[.]com/work/original.js | hxxps://vjkillianco[.]com/work/index.php |
| hxxps://saveourmalta[.]com/work/original.js | hxxps://saveourmalta[.]com/work/index.php |
| hxxps://saveourmalta[.]com/work/fix.php | hxxps://saveourmalta[.]com/work/das.php |
| hxxps://10086623[.]top/font/original.js | hxxps://10086623[.]top/font/index.php |
| hxxps://10086623[.]top/font/fix.php | hxxps://10086623[.]top/font/ddud.php |
| hxxps://tqshoes[.]shop/font/original.js | hxxps://tqshoes[.]shop/font/index.php |
| hxxps://tqshoes[.]shop/font/fix.php | hxxps://tqshoes[.]shop/font/ddud.php |
| hxxps://raptwinter[.]shop/font/fix.php | hxxps://raptwinter[.]shop/font/original.js |
| hxxps://raptwinter[.]shop/font/index.php | hxxps://raptwinter[.]shop/font/das.php |
| hxxps://bailingla[.]com/font/original.js | hxxps://bailingla[.]com/font/index.php |
| hxxps://bailingla[.]com/font/fix.php | hxxps://bailingla[.]com/font/das.php |
| hxxps://milan77burn[.]top/font/original.js | hxxps://milan77burn[.]top/font/index.php |
| hxxps://milan77burn[.]top/font/fix.php | hxxps://milan77burn[.]top/font/das.php |
| hxxps://y553488469[.]top/font/original.js | hxxps://y553488469[.]top/font/index.php |
| hxxps://y553488469[.]top/font/fix.php | hxxps://y553488469[.]top/font/das.php |
| hxxps://sn4k[.]top/font/original.js | hxxps://sn4k[.]top/font/index.php |
| hxxps://sn4k[.]top/font/das.php | hxxps://sn4k[.]top/font/fix.php |
| hxxps://vfeevf[.]com/font/original.js | hxxps://vfeevf[.]com/font/index.php |
| hxxps://vfeevf[.]com/font/das.php | hxxps://vfeevf[.]com/font/fix.php |
| hxxps://oldwetcat[.]com/trade/fix.php | hxxps://oldwetcat[.]com/trade/di.php |
| hxxps://oldwetcat[.]com/trade/index.php | hxxps://oldwetcat[.]com/trade/original.js |
| hxxps://zza5topk1or1[.]skin/trade/original.js | hxxps://zza5topk1or1[.]skin/trade/index.php |
| hxxps://zza5topk1or1[.]skin/trade/fix.php | hxxps://zza5topk1or1[.]skin/trade/d.php |
| hxxps://megaarmshop[.]com/trade/original.js | hxxps://megaarmshop[.]com/trade/index.php |
| hxxps://megaarmshop[.]com/trade/fix.php | hxxps://megaarmshop[.]com/trade/d.php |
| hxxps://unsbrtng[.]cfd/trade/index.php | hxxps://unsbrtng[.]cfd/trade/fix.php |
| hxxps://unsbrtng[.]cfd/trade/original.js | hxxps://unsbrtng[.]cfd/trade/da.php |
| hxxps://ggoryo[.]com/trade/original.js | hxxps://ggoryo[.]com/trade/index.php |
| hxxps://ggoryo[.]com/trade/fix.php | hxxps://ggoryo[.]com/trade/da.php |
| hxxps://souguru[.]com/trade/original.js | hxxps://souguru[.]com/trade/index.php |
| hxxps://souguru[.]com/trade/fix.php | hxxps://souguru[.]com/trade/d.php |
| hxxps://robotprintmoney[.]com/trade/original.js | hxxps://robotprintmoney[.]com/trade/index.php |
| hxxps://robotprintmoney[.]com/trade/fix.php | hxxps://robotprintmoney[.]com/trade/d.php |
| hxxps://tratoragricola[.]com/trade/original.js | hxxps://tratoragricola[.]com/trade/index.php |
| hxxps://tratoragricola[.]com/trade/fix.php | hxxps://tratoragricola[.]com/trade/d.php |
| hxxps://yaseraljazeera[.]com/trade/original.js | hxxps://yaseraljazeera[.]com/trade/fix.php |
| hxxps://yaseraljazeera[.]com/trade/index.php | hxxps://yaseraljazeera[.]com/trade/d.php |
| hxxps://jerescarla[.]com/trade/original.js | hxxps://jerescarla[.]com/trade/index.php |
| hxxps://jerescarla[.]com/trade/fix |
Mitigation and Prevention
- User Awareness and Training: Users should only trust official sources for browser updates and be wary of pop-up update prompts on non-official sites.
- Endpoint Protection: Deploy advanced antivirus and EDR solutions that can detect obfuscated JavaScript and monitor for unusual script activity.
- Firewall and SIEM Monitoring: Configure network defenses to detect connections to known malicious domains associated with SocGholish campaigns.
- Scheduled Task Monitoring: Identify unexpected registry modifications or scheduled tasks, commonly used for persistence.
Conclusion
SocGholish's adaptability and ability to persist undetected underscore the necessity of a multi-layered security approach, combining user training, behavioral detection, and proactive threat monitoring. The malware’s tendency to embed itself deeply in system processes and propagate through additional payloads like Raspberry Robin poses a growing risk, particularly to organizations without strong endpoint defenses.