redcanary.com
Open in
urlscan Pro
104.198.136.223
Public Scan
URL:
https://redcanary.com/threat-detection-report/threats/socgholish/
Submission: On August 01 via manual from US — Scanned from DE
Submission: On August 01 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://redcanary.com/
<form method="get" class="search-form" action="https://redcanary.com/" __bizdiag="115" __biza="WJ__"> <svg width="20" height="19" viewBox="0 0 20 19" fill="none" xmlns="http://www.w3.org/2000/svg">
<line x1="12.8839" y1="12.1161" x2="18.8839" y2="18.1161" stroke="black" stroke-width="2.5"></line>
<circle cx="7.5" cy="7.5" r="6.25" stroke="black" stroke-width="2.5"></circle>
</svg> <input id="input-search" class="search-input" name="s" type="text" placeholder="Search" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value="Search"></form>Text Content
Skip Navigation
Request Demo
2022Threat Detection Report
Demo
* Trends
* Threats
* Techniques
* Beats
* Archive
* Download Report
* 2022 Threat Detection Report PDF
* 2022 Executive Summary PDF
* Intro
* Past Reports
* Threats
* Techniques
* Introduction
* Ransomware
* Supply Chain Compromises
* Vulnerabilities
* Affiliates
* Crypters-as-a-Service
* Common Webshells
* User-Initiated Initial Access
* Malicious macOS Installers
* Remote Monitoring and Management Abuse
* Linux Coinminers
* Abusing Remote Procedure Calls
* Defense Validation and Testing
* Top Threats
* Rose Flamingo
* Silver Sparrow
* Bazar
* Latent Threats
* Cobalt Strike
* Impacket
* SocGholish
* Yellow Cockatoo
* Gootkit
* BloodHound
* Top Techniques
* Command and Scripting Interpreter
* Signed Binary Proxy Execution
* Windows Management Instrumentation
* OS Credential Dumping
* Ingress Tool Transfer
* Process Injection
* Scheduled Task/Job
* Obfuscated Files or Information
* Masquerading
* Hijack Execution Flow
* Managed Detection and Response
* Integrations
* The Red Canary Difference
* Schedule Your Demo
Named a leader in MDR
* Atomic Red Team™
* MDR Everywhere
* MDR for Microsoft
* Active Remediation
* Replace your MSSP
* Post-Breach Response
* EDR Deployment
* EDR Migration
* Linux Security
* View All Resources
* Blog
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
Blog
Sharpen your skills with the latest information, security articles, and
insights.
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
Red Canary Partner Connect
Apply to become a partner.
* About Us
* News & Press
* Careers - We're Hiring!
* Contact Us
* Trust Center and Security
Contact Us
How can we help you? Reach out to our team and we'll get in touch.
* Liner Notes
* Side 1: Trends
* Side 2: Threats
* Bonus Tracks: Techniques
* Trends
Trends
* Introduction
* Ransomware
* Supply Chain Compromises
* Vulnerabilities
* Affiliates
* Crypters-as-a-Service
* Common Web Shells
* User-Initiated Initial Access
* Malicious macOS Installers
* Remote Monitoring and Management Abuse
* Linux coinminers
* Abusing remote procedure calls
* Defense validation and testing
* Threats
Threats
* Top Threats
* Rose Flamingo
* Silver Sparrow
* Bazar
* Latent threats
* Cobalt Strike
* Impacket
* SocGholish
* Yellow Cockatoo
* Gootkit
* BloodHound
* Techniques
Techniques
* Top Techniques
* Command and Scripting Interpreter
* Signed Binary Proxy Execution
* Windows Management Instrumentation
* OS Credential Dumping
* Ingress Tool Transfer
* Process Injection
* Scheduled Task/Job
* Obfuscated Files or Information
* Masquerading
* Hijack Execution Flow
* Beats
* Archive
* Download Report
Download Report
* 2022 Threat Detection Report PDF
* 2022 Executive Summary PDF
Share
THREAT
SOCGHOLISH
SocGholish leverages drive-by-downloads masquerading as software updates to
trick visitors of compromised websites into executing malware.
Pairs with this song
#6
OVERALL RANK
5.5%
CUSTOMERS AFFECTED
* Analysis
* Detection Opportunities
THREAT SOUNDS
Contrary to what the lead singer of Train might tell you, that sketchy software
update is in fact a SocGholish drive-by download.
ANALYSIS
SocGholish is an initial access threat that leverages drive-by-downloads
masquerading as software updates. Active since at least April 2018, SocGholish
has been linked to the suspected Russian cybercrime group Evil Corp (also known
as Indrik Spider). Red Canary encountered SocGholish in a wide variety of
industry verticals in 2021. These drive-by-downloads placed SocGholish inside
the top five most prevalent threats we track. This ranking was fueled by an
increasing number of detections as the year went on, culminating in SocGholish
peaking as the most prevalent threat we encountered in December.
A SocGholish drive-by-download occurs when an unsuspecting user visits a
compromised website and downloads a malicious ZIP file. In one incident
described by Expel earlier this year, adversaries compromised an organization’s
site that was running a vulnerable version of WordPress. Employee endpoints were
then infected with drive-by-downloads of SocGholish directly from the company’s
own website. SocGholish relies on social engineering to gain execution, tricking
unsuspecting users into running a malicious JavaScript payload stored within a
downloaded ZIP file. These files typically masquerade as browser updates, though
other lures include Adobe Flash or Microsoft Teams. Once executed, the
JavaScript payload connects back to SocGholish infrastructure, where it shares
details about the infected host and can retrieve additional malware.
In 2021, Red Canary observed NetSupport RAT and BLISTER malware delivered by
SocGholish. In the past, we have seen SocGholish deploy a Cobalt Strike payload
that led to WastedLocker ransomware. The connection between SocGholish and
BLISTER is notable, as this malware loader was only identified by Elastic in
late December 2021. Following BLISTER deployment in an environment initially
compromised with SocGholish, we detected several post-exploitation
reconnaissance behaviors on the affected endpoint.
The majority of SocGholish infections we’ve detected did not result in a
second-stage payload, sometimes due to existing mitigations or rapid response to
isolate the host. In most cases, we observed reconnaissance activity that only
identified the infected endpoint and user. In some cases, Active Directory and
domain enumeration followed user discovery. Both of these can be a precursor to
lateral movement, however, the hosts were isolated before any lateral movement
activity could begin. Much of the reconnaissance conducted by the malicious
JavaScript file happens in memory, with data being exfiltrated directly via POST
commands to the C2 domain. One good source of insight into this behavior comes
from collecting script load content, if such telemetry is available from your
endpoint detection and response (EDR) sensor. Collecting this data provides key
insight into the specific commands executed and data exfiltrated.
DETECTION OPPORTUNITIES
JAVASCRIPT EXECUTING FROM A ZIP FILE AND MAKING EXTERNAL NETWORK CONNECTIONS
Executing script contents from within a ZIP file is unusual, especially when
that script is making external network connections. This detection analytic
regularly identifies the initial execution and network connections from a
SocGholish JavaScript payload extracted from a ZIP file.
process == wscript.exe
&&
command_line_includes ('.zip' && '.js')
&&
has_external_netconn
SCRIPT FILES CONDUCTING RECONNAISSANCE WITH WHOAMI AND WRITING THE OUTPUT TO A
FILE
SocGholish employs several scripted reconnaissance commands. While much of this
activity occurs in memory, one that stands out is the execution of whoami with
the output redirected to a local temp file with the naming convention
rad<5-hex-chars>.tmp.
parent_process == wscript.exe
&&
process == cmd.exe
&&
command_line_includes ('whoami /all >>')
ENUMERATING DOMAIN TRUSTS ACTIVITY WITH NLTEST.EXE
Left unchecked, SocGholish may lead to domain discovery. This type of behavior
is often a precursor to ransomware activity, and should be quickly quelled to
prevent further progression of the threat.
process == nltest.exe
&&
command_line_includes ('/domain_trusts' || '/all_trusts')
Impacket
Yellow Cockatoo
SEE WHAT IT'S LIKE TO HAVE A PARTNER IN THE FIGHT.
EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY.
Demo
*
*
*
* What We Do
* Managed Detection and Response
* Integrations
* The Red Canary Difference
* Request a Demo
* Solutions
* Atomic Red Team™
* MDR Everywhere
* MDR for Microsoft
* Active Remediation
* Replace your MSSP
* Post-Breach Response
* EDR Deployment
* EDR Migration
* Linux Security
* Alert Triage
* Resources
* View all Resources
* Blog
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
* Newsletter
* Partners
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
* Apply to Become a Partner
* Company
* About Us
* News & Press
* Careers – We’re Hiring!
* Contact Us
* Trust Center and Security
© 2014-2022 Red Canary. All rights reserved. info@redcanary.com +1 855-977-0686
Privacy Policy Trust Center and Security
Our website uses cookies to provide you with a better browsing experience. More
information can be found in our Privacy Policy.
X
Privacy & Cookies Policy
Close
PRIVACY OVERVIEW
This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are essential for the working of basic
functionalities...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
Back to Top