SocGholish
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| FakeUpdates | (Citation: Red Canary SocGholish March 2024) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
The SocGholish payload is executed as JavaScript.(Citation: SocGholish-update)(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
SocGholish can send output from `whoami` to a local temp file using the naming convention `rad<5-hex-chars>.tmp`.(Citation: Red Canary SocGholish March 2024) |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
SocGholish can exfiltrate data directly to its C2 domain via HTTP.(Citation: Red Canary SocGholish March 2024) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
SocGholish has been named `AutoUpdater.js` to mimic legitimate update files.(Citation: SocGholish-update) |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile) SocGholish has also single or double Base-64 encoded references to its second-stage server URLs.(Citation: SentinelOne SocGholish Infrastructure November 2022) |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
SocGholish has been spread via emails containing malicious links.(Citation: SocGholish-update) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
SocGholish has lured victims into interacting with malicious links on compromised websites for execution.(Citation: SocGholish-update) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1020 | Mustard Tempest |
(Citation: SocGholish-update) (Citation: Microsoft Ransomware as a Service) (Citation: Secureworks Gold Prelude Profile) |
References
- Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
- Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
- Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
- Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.