Threat advisory: SocGholish malware

Todyl Detection Engineering Team
January 18, 2024

High-level summary:

  • SocGholish, also known as FakeUpdates, has existed since 2018 and is widely associated with the Russia-based cybercriminal entity Evil Corp.
  • The malware family utilizes drive-by downloads typically disguised as software updates to gain initial access.  
  • Drive-by download techniques are dangerous because they enable the automatic and stealthy installation of malicious software on a user's device without their knowledge or consent, often exploiting vulnerabilities in software or browsers. These types of attacks are much more likely to succeed and can impact a wider range of targets.    
  • SMBs can be the most vulnerable to these types of attacks, especially if they consider themselves too small to be targeted.
  • After a leading Endpoint Detection and Response (EDR) company missed key tactics, techniques, and procedures (TTPs) Todyl’s Managed eXtended Detection and Response (MXDR) team observed a unique strain of SocGholish on an end-user's device. The team alerted the partner of the malicious activity and wiped the device before the ransomware could be executed.  

Overview of SocGholish

SocGholish is a type of malware leveraged by numerous threat actor groups. The malware is known for its “drive-by” download method used to initially infect a device. A drive-by download is a malicious program that installs automatically to a device without the user's consent.  

SocGholish utilizes drive-by downloads to deliver a malicious JavaScript payload. Historically this JavaScript file is delivered via a Zip file disguised as a browser update. However, SocGholish has also been observed gaining initial access when a user visits a compromised website and downloads a malicious file. Figure one below details the typical SocGholish attack chain.  

The malware has been active since at least April 2018 and security researchers have tied it to groups such as Evil Corp, TA569, Gold Drake, and UNC2165.

Key characteristics

SocGholish is a dangerous malware strain because it disguises its malicious payloads to avoid detection, allowing it to carry out its destructive work on infected systems undisturbed. SocGholish uses "staging servers" to download and activate its malicious payloads. This means the malware does not inject all its malicious code into the victim's system simultaneously, making detection more difficult. Instead, it downloads small pieces of code from the staging servers to build and activate itself step by step. This process often occurs in encrypted chunks, making it even harder for security solutions to detect.

Incidents involving SocGholish can progress very quickly. The malware has been observed deploying the Cobalt Strike red team tool within 10 minutes of the initial compromise occurring. Cobalt Strike allows threat actors to perform post exploitation activities, such as escalating privileges and moving laterally in the victim environment, often culminating in ransomware deployment. Recent ransomware payloads delivered through SocGholish include LockBit and WastedLocker.

Details on Todyl’s investigation

Todyl’s MXDR team received an alert that an anomalous PowerShell script was running on a partner’s endpoint. Todyl’s team alerted the partner immediately that the file was malicious and guided them through remediation before it could affect the customer environment.

Following initial analysis and response, the MXDR team reverse engineered the PowerShell script to build new detections into the Todyl platform and help the partner and their client fully understand the scope of the attempted attack.

The script was heavily encrypted and leveraged several obfuscation techniques to bury its true purpose within lines of seemingly meaningless numbers.  

Ultimately, the team determined that the script ran a command within PowerShell that used the infected system to create a website that hosted and downloaded the adversary’s malware sample. Built within this command was the ability to terminate and deactivate the site after three days to cover SocGholish’s tracks, hosting a new site whenever the script was run again.

Thankfully, as of the time of publishing, the threat actors have rendered their malware useless by purposefully removing the final payload from their hosted C2 server, so no additional effects arose while understanding the scope of the attack. This, of course, means that no one can understand the goal of the attack, but the Todyl team is working to dig into its nature and build further detections within our security platform to prevent future impact.

Click here to learn more about how Todyl’s Detection Engineering team reverse engineered the PowerShell script.

Impact on organizations and recommended next steps

SocGholish leverages social engineering to capitalize on human error and infiltrate organizations, which means that no business, regardless of size, industry, or resources, is completely safe. SMBs can be the most vulnerable, especially if they consider themselves too small to be targeted. Threats like those created by SocGholish always lurk on the internet, and users can grant access to threat actors with just the click of a button.  

Once an environment is compromised, stopping the spread is very difficult and the consequences can be devastating for SMBs. Attacks like this paralyze business operations and are extremely costly and time-consuming to remediate.  

Threat detection and prevention is crucial for defending against these types of attacks. With Todyl’s  Security Information and Event Management (SIEM), EDR, and MXDR businesses gain the visibility and human touch to help service providers shift from a reactive model to a preventative approach, stopping malware attacks from happening in the first place.  

Because many of the attacks from SocGholish are hidden within encrypted PowerShell scripts, a traditional firewall and antivirus will not detect the malicious behavior. Not only does Todyl’s SIEM ingest PowerShell scripts beyond the endpoint, our team is consistently rolling out our new detection rules to monitor and detect the most recent TTPs.  

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I joined Todyl: Mike Hanauer
How to increase trust with cyber insurance carriers
Why MDR platform breadth and depth matters

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.