Threat actors have been using the JavaScript-based framework SocGholish since 2017 to obtain initial access to computers. To infect systems, SocGholish employs social engineering. It deceives users into running a malicious JavaScript payload that poses as a necessary system or software update, such as a browser update.
Recent operations by SocGholish operators have involved introducing a drive-by-download technique that causes the payload to be downloaded through a second-stage server, infecting reliable websites. An incident involving a media company’s web assets that were used by numerous major news sites is a recent noteworthy case.
There have been reports of approximately 25000 freshly infected websites since the start of 2022. It demonstrates the rapid rate at which SocGholish operators infiltrate websites to create initial points of contact with victims. We see significant evidence that SocGholish operators have been rapidly deploying new second-stage servers since mid-2022.
After acquiring access to SocGholish, attackers engage in a range of operations, including system and network reconnaissance, establishing persistence, and the introduction of further tools and malware. This includes ransomware like WastedLocker which is linked to threat actor EvilCorp. Also remote access tools like Cobalt Strike and NetSupport.
Expanding and Diversifying SocGholish’s Server Infrastructure
Since mid-2022, SocGholish operators have introduced new second-stage servers at a rate that is far higher than it was previously — on average 18 servers each month.
The SocGholish operators only added 3.5 servers each month, or 21 servers, throughout the first half of 2022. The company introduced 73 new second-stage servers between July and October 2022. In comparison to the same average figure computed throughout the first half of 2022, this represents a rise of 334 percent. The servers have been running for varying durations of time, including days, weeks, and months.
The inclusion of new second-stage servers aids SocGholish operators in thwarting protective actions against well-known servers in addition to scaling up the malware staging operation. This encompasses both the detection of network traffic to well-known servers. And any subsequent responses, such as endpoint- or network-level server denylisting.
Geographically, the Netherlands hosts 28 of the 73 new servers, accounting for the majority of the continent’s new servers.
They noticed that a significant portion of the servers is located in shadowed domains. The domains are subdomains built by attackers concealed inside of real domains that have been compromised. The SocGholish operators can benefit from the trustworthy nature of the hacked domains and avoid detection by employing domain shadowing.
A second-stage server hosted on the Amazon Web Services domain d2j09jsarr75l2[.]cloudfront.net is a recent exception to the use of domain shadowing. It will be interesting to see if using public cloud infrastructure develops into a SocGholish trend.
Our findings are based on a retrospective data analysis of submission-based databases urlscan.io. And VirusTotal focused on URLs in the above-mentioned forms, given the global influence of SocGholish.
Conclusion
Since 2017, SocGholish has been operational. Since mid-2022, SocGholish operators have been dramatically growing and broadening their malware staging infrastructure while continuing to attack websites on a vast scale. In order to identify and take precautions against website infections and domain shadowing. It is crucial to routinely assess the security posture and integrity of web servers, websites, and DNS records. This is made especially important by SocGholish’s success in surviving on the threat landscape.
