Executive Summary
- First Identified: 2018
- Malware Type:
- Loader Malware
- Previously Targeted Industries:
- Healthcare
- Utilities
- Technology
- Previously Targeted Victim HQ Locations:
- North America
- Europe
- Known Associations:
- Blister Loader
- DEV-0206
- Evil Corp
- LockBit Ransomware
- NetSupport RAT
Latest Public Blackpoint Incident Analysis of SocGholish
- April 24, 2024, with Consumer Cyclicals partner
Description of SocGholish Loader Malware
SocGholish (AKA FakeUpdates) has been active since at least April 2018 and is widely associated with the Russia-cybercriminal group, Evil Corp. The malware is often observed being deployed by multiple threat groups, indicating the malware operates as a malware-as-a-service (MaaS).
The malware is often deployed via drive-by downloads and phishing campaigns that drop a .zip or .js file that victims are tricked into launching. The SocGholish malware is often observed masquerading as a software update for a web browser, fake Microsoft Teams and Adobe install files.
The malware has been observed using Traffic Directing Services (TDS) to determine if targets are acceptable and obscure the attack. Unlike traditional MaaS variants, SocGholish appears to be more particular about the targets and environments/systems they attack.
Once a victim downloads the fake update or software that contains an archive file with an embedded SocGholish JavaScript payload. Once executed, the JavaScript payload establishes a command and control (C2) channel to relay system information gathered from the compromised endpoint. SocGholish has been observed using the wevutil command for discovery objectives, which is uncommon as this command is often used for defense evasion.
SocGholish has been observed using WMIC to execute a command to disable Windows RestrictedAdmin Mode, which when enabled prevents credentials used to connect to a remote system via RDP from being stored in memory. It is likely this was disabled to intercept the credentials of those who would RDP to this device in the future.
In August 2023, security researchers with ReliaQuest reported that SocGholish was one of the top three malware loaders observed in 2023. SocGholish reportedly accounted for 27% of observed infections, behind Qakbot (30%) and ahead of Raspberry Robin (23%).