Skip to main content

SocGholish Framework

SocGholish is an advanced delivery framework used in drive-by-download and watering hole attacks. These attacks uses sophisticated social engineering lures to convince target user to download and run malware, including ransomware and RATs.

Threat ID:
CC-3917
Category:
Browser-hijack, Loader
Threat Severity:
Low
Threat Vector:
Drive by download, Malvertising
Published:
5 August 2021 11:35 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

SocGholish is an advanced delivery framework used in drive-by-download and watering hole attacks. These attacks uses sophisticated social engineering lures to convince target user to download and run malware, including ransomware and RATs.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First seen in the wild in April 2018, SocGholish is a drive-by-download framework used in social engineering attacks to deliver a range of remote access trojans and ransom tools. Believed to have been created by, or heavily associated with, the Indrik Spider advanced persistent threat group, SocGholish has been seen delivering well-known threat including WastedLocker, NetSupportRAT, Hades, and Dridex.

Payload delivery

SocGholish relies on a series of sophisticated social engineering lures, most of which claim to be browser updates of some sort, to deliver its payloads. These lures direct target users to malicious content, typically stored in an iFrame, on otherwise legitimate websites. When a user interacts with this content, a ZIP archive containing a heavily obsfuscated HTA or JS file is downloaded to their system. The file is then executed when the user opens the ZIP archive. As the ZIP archive appears to be downloaded from a legitimate site, users are likely to be less vigilant when opening it. SocGholish's use of malicious iFrames on legitimate websites can also prevent network and browser security technologies from detecting its activity.

Once executed, the HTA or JS file acts as a preliminary loader, collecting system information and performing anti-analysis checks before using cmd.exe or Powershell.exe. to connect to a command and control server to retrieve any secondary payloads for deployment.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Last edited: 5 August 2021 1:36 pm