WebDAV & SCF Exploits Fuel Credential Heists
SocGholish, a notorious loader malware, has evolved into a critical tool for cybercriminals, often delivering payloads like Cobalt Strike and, more recently, RansomHub ransomware.
Darktrace’s Threat Research team has tracked multiple incidents since January 2025, where threat actors exploited SocGholish to compromise networks through fake browser updates and JavaScript-based attacks on vulnerable CMS platforms like WordPress.
By injecting malicious scripts into HTML or external resources of legitimate websites, attackers redirect unsuspecting users to counterfeit update pages, tricking them into downloading ZIP files containing SocGholish loaders.
One such case involved the compromised site garagebevents[.]com, initiating data downloads and subsequent connections to Keitaro Traffic Distribution System (TDS) domains like packedbrick[.]com for payload retrieval, as observed in Darktrace’s device event logs.
Innovative Credential Theft via WebDAV and SCF Tactics
Post-infection, SocGholish campaigns reveal sophisticated credential access techniques leveraging legacy protocols.
Darktrace analysts identified instances where infected devices attempted forced authentication using Web Distributed Authoring and Versioning (WebDAV) to external endpoints like 161.35.56[.]33.
This protocol, natively supported by Windows, enables remote file management over HTTP, prompting automatic NTLM authentication attempts that expose user hashes to attackers for offline cracking.
In a parallel tactic, attackers uploaded malicious Shell Command Files (SCF) named ‘Thumbs.scf’ to internal SMB shares, embedding UNC paths to the same external IP.
When users accessed these shares, their systems unwittingly sent NTLM hashes to attacker-controlled servers, facilitating lateral movement without direct outbound initiation from the infected host.
These methods underscore a deliberate shift toward exploiting passive internal exposure and system-level behaviors for credential theft.
Additionally, post-compromise activities often include Python-based backdoors, with affected devices connecting to files.pythonhosted[.]org for package downloads, ensuring persistent access.
Darktrace further noted SocGholish’s command-and-control (C2) communications over HTTPS on port 443, followed by connections to RansomHub infrastructure using defense evasion tactics like port-hopping across non-standard ports (e.g., 2308, 2311).
This technique disguises C2 traffic, bypassing basic egress filters and enhancing the malware’s stealth.
The seamless integration of SocGholish with ransomware affiliates highlights a growing synergy in cybercriminal ecosystems, where initial access loaders fuel expansive network compromises.
As attackers refine their post-exploitation playbooks, tracking these evolving kill chains becomes paramount to preempt ransomware deployment.
Indicators of Compromise (IoCs)
| Indicator | Value | Description |
|---|---|---|
| garagebevents[.]com | 35.203.175[.]30 | Possibly compromised website |
| packedbrick[.]com | 176.53.147[.]97 | Keitaro TDS domain for SocGholish delivery |
| rednosehorse[.]com | 176.53.147[.]97 | Keitaro TDS domain for SocGholish delivery |
| blackshelter[.]org | 176.53.147[.]97 | Keitaro TDS domain for SocGholish delivery |
| blacksaltys[.]com | 176.53.147[.]97 | Keitaro TDS domain for SocGholish delivery |
| virtual.urban-orthodontics[.]com | 185.76.79[.]50 | SocGholish distribution endpoint |
| msbdz.crm.bestintownpro[.]com | 166.88.182[.]126 | SocGholish C2 endpoint |
| RansomHub Python C2 | 185.174.101[.]240 | RansomHub C2 infrastructure |
| RansomHub Python C2 | 185.174.101[.]69 | RansomHub C2 infrastructure |
| RansomHub Python C2 | 108.181.182[.]143 | RansomHub C2 infrastructure |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
