Sangria Tempest, SocGholish, and BITS Download

Sangria Tempest is a financially motivated cybercriminal group that has focused on operations that have led to data theft, extortion, and ransomware deployment.

Operating since at least 2012, Sangria Tempest got its start with point-of-sale (PoS) and ATM malware deployments for stealing payment card data, with attribution credit for multiple custom malware variants – including JSSLoader and Griffon (1).

In 2020, Sangria Tempest switched to ransomware for financial gain, including operating with the Maze and REvil Ransomware-as-a-Service (RaaS) operations. Security researchers also attribute the DarkSide ransomware and BlackMatter operations – both of which closed in 2021 – to the Sangria Tempest group. operation, which closed operations in 2021, and BlackMatter, which closed in 2021 as well. (1)

Despite reports of multiple key members arrested in 2018 and 2020, the Sangria Tempest criminal group is still active. Today, they:

• Conduct (often successful) financially motivated attack campaigns
• Developing malware variants, for themselves and other threat groups
• Create fake companies to help recruit “employees” to their operations (1)

In 2023, Microsoft security researchers reported that Sangria Tempest delivered EugenLoader through malicious MSIX package installations. The group also used Google ad lures to trick victims into downloading MSIX app packages to deliver POWERTRASH – an obfuscated PowerShell script, in a similar file name and approach seen in this specific Blackpoint incident. (2)

During a BEC, cybercriminals gain unauthorized access to a legitimate business email account – typically through phishing or credential theft – and mine the inbox and outbox for additional information on the organization. They can even send emails from the legitimate account internally to other employees, pretending to be the compromised user, increasing the believability of their requests for wire transfers and proprietary data exfiltrations (3).

The APG recommends the following actions to help mitigate malicious activities conducted by Sangria Tempest and other financially motivated threat groups.

• Conduct employee security awareness training to ensure employees are aware of what basic phishing emails – and malvertising campaigns! – look like, and are more cautious about opening email attachments.
• Implement environmental user activity monitoring to detect unusual patterns that may indicate malicious threat actor behavior.
• Create and implement an organization-wide secure password policy to ensure employees’ passwords are not reused and meet minimum strength requirements, lowering the risk of brute force, password spraying, and other credential attacks.
  • Consider paying for and implementing password managers on managed organizational devices, too, which can be configured to enforce these password requirements for you!
• Design, test, and (when needed) implement an IRP that covers the processes for:
  • Data backup and restoration
  • Internal and external notifications, to include organizational partners, cyber insurance carriers, legal firms, impacted vendors, team members, and law enforcement
  • Business continuity during incident response and disaster recovery efforts

SocGholish

Active since at least 2018, SocGholish is a malware family, often used by a wide variety of threat actors to deploy other malware – including ransomware (5). At the end of 2023, ReliaQuest researchers found SocGholish to be the second most used loader malware (6).

Based on APG analyzed data from Blackpoint managed environments and incidents, we have seen SocGholish used in LockBit ransomware campaigns, delivering LockBit as the final payload.

ActiveX

An ActiveX control is a software program for Internet Explorer that can activates and runs pre-scripted functionality after a web page loads. Threat actors can abuse ActiveX to communicate with devices, masquerading as legitimate software in order to gain initial access to a victim’s system (7).

The APG predicts that threat actors such as SocGholish will likely continue to mask malicious activity via legitimate applications such as ActiveX over the next 12 months.

We base this assessment on our own internal activity metrics, and extrapolation from previous incidents as reported by other research firms.

For example, in 2022, Cyberreason security researchers reported a SocGholish campaign abusing ActiveX to establish connections to attacker-controlled endpoints and to issue POST requests, downloading and executing additional malicious content in an attack very similar to the one attempted on this Technology partner’s device (8).

The APG recommends the following actions to help mitigate the malicious activity of SocGholish and similar malware.

• Implement the least-privilege access controls wherever feasible. Doing so ensures that users can only access the data and resources required to complete their job functions, and – in the event of a compromised endpoint or user profile – helps prevent data exfiltration, extortion, and the threat actor’s lateral movement across environments.
• Implement application controls to block or restrict unauthorized applications from executing in suspiciously malicious ways.
  • Application allowlisting and blocklisting can also help to prevent malware that “looks” right at a glance from installing on users’ endpoints.
• Minimize the use of – or implement strict controls on – the use of scripting languages for users who do not need it, as threat actors rely on scripting languages such as JavaScript to deploy malware and conduct malicious activities. While JavaScript was not deployed in this incident, that may have only been the case because the Active-SOC caught and remediated the intrusion before it could download and execute on the compromised endpoint.

BITS is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares (10).

Threat actors abuse this process to gain persistence by creating BITS jobs that download and execute malicious code. In fact, the APG has tracked at least five ransomware operators that have used BITSadmin – a command line tool used to create, download, or upload jobs and monitor their progress – during reported Blackpoint managed environment incidents.

BITS jobs are helpful to threat actors for persistence, because they are able to survive system reboots and remain active, even when the user is not logged in (10).

Additionally – as observed in this incident – threat actors may use a double extension in the file name to aid in masquerading the file type (11). Double-extention file names can help the threat actor evade detection: some browsers, operating systems, and software will only show the first and ignore the second (true) file name extension.

The APG predicts that threat actors will likely continue to use BITS Download and double file name extensions over the next 12 months.

We base this assessment on previous Blackpoint analyzed security incidents, as well as external research and agency guidance.

For example, in 2020, Mandiant security researchers reported a campaign deploying SINGLEMALT – a loader/backdoor malware – that led to ransomware deployment (12). SINGLEMALT had been observed employing BITS to maintain persistence through reboot, by creating a BITS job to download a non-existent URL.

Additionally, in 2024, the U.S. CISA released a guidance report related to detection and mitigation for live-off-the-land (LotL) techniques, which includes the use of legitimate tools and processes such as BITS Download for malicious actions (13).

The APG recently sponsored a keynote talk reviewing original research on LotL trends and common remediations at the 2024 Right of Boom conference for MSP partners and their security teams.

The APG recommends the following actions to help mitigate the use of malicious BITS jobs and tools such as BITSadmin, as well as to block malicious files with double extension names.

• As always, conduct employee security awareness training to ensure employees are aware of what basic phishing emails look like and are more cautious about opening email attachments. For MSPs, ensure this training trickles down to your end client users, as well!
• Segment your networks and environments, in addition to locking down commonly abused ports, to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments should one become compromised.
• Similar to our earlier incident, least-privilege access controls can limit threat actors’ from leveraging compromised user profiles and devices to either deploy additional malware, find and take relevant data, or move to another (more privileged) machine altogether.
• Conduct regular environment and endpoint audits to identify weak points, apply necessary patching requirements, and close potential infection paths. After all, you can only protect what you know exists!

1. Microsoft’s Blog: “Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself” by Microsoft Threat Intelligence on 2022 May 09
2. Blackpoint Cyber’s Blog: “Top Hacker Tactics You Should Be Aware Of” by Blackpoint Cyber on 2023 September 14
3. Cybereason’s Blog: “SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems” by Cybereason Global SOC Team
4. Blackpoint Cyber’s Blog: “SocGholish: Haunting the Digital Realm for Over Five Years” by Blackpoint Cyber on 2023 July 17
5. ReliaQuest’s Blog: “3 Malware Loaders You Can’t (Shouldn’t) Ignore” by ReliaQuest Threat Research Team on 2023 August 25
6. Zscaler’s Blog: “Outpace Attackers with AI-Powered Advanced Threat Protection” by Brendon Macaraeg on 2024 March 11
7. Joe Security LLC’s Blog: “JoeSandbox Cloud” by JoeSandbox Cloud on 2024 April 30
8. Microsoft’s Repository: “Background Intelligent Transfer Service” by Microsoft on 2021 May 25
9. ReZa AdineH’s Blog: “Abusing BITS Jobs for Persistence” on 2023 March 11
10. MITRE’s Repository: “Masquerading: Double File Extension” by MITRE on 2021 October 14
11. Mandiant’s Blog: “Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser” by Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, and Douglas Bienstock on 2024 April 11
12. CISA’s Advisory: “Identifying and Mitigating Living Off the Land Techniques” by CISA et al on 2024 February 07