The SocGholish malware family has been haunting the digital realm for over five years. It was first seen in the wild in April 2018, according to Red Canary. It has used a variety of tactics to elude detection, but their overall end goal remains the same: gain initial access.
With this specialty, they sell SocGholish as a service to other malware or ransomware threat actors, allowing them to drop their payload as a follow-on attack.
SocGholish has been able to survive for over five years due to its advanced techniques that allow it to remain difficult to detect and stop. Its primary distribution methods are drive-by-downloads and phishing campaigns that drop a .zip or .js file that users are tricked into launching.
They use masquerading techniques to evade detection from users and security software, such as masquerading as a software update for a web browser, but fake Microsoft Teams and Adobe install files have also been seen utilized.
In addition to masquerading techniques, SocGholish is selective about its targets and the environments and systems they attack. According to Proofpoint, they use Traffic Directing Services (TDS) to:
- determine if targets are acceptable
- obscure the attack
The follow-on scripts, payloads, and C2 subdomain are customized for that victim’s system or environment, which is used to deter incident response from being able to analyze, reproduce, or collect information post incident or outside the infected environment.
The final payload will ultimately be determined by the threat group using SocGholish to gain initial access. That said, the attack pattern has shown they typically use a Batch or PowerShell script to gain persistence in the registry and then detonate their final payload. This payload may be a remote access trojan (RAT), ransomware, or other malware variant.