SocGholish
SocGholish
SocGholish is a well-known malware campaign that masquerades as software updates, typically for browsers, to trick users into downloading malicious files. Often, SocGholish uses compromised websites to accomplish this task. WordPress sites are particularly vulnerable if default configurations are not changed. On February 27th, 2024, an EDR alert lead to the discovery of SocGholish malware on a state device. The EDR solution worked as intended and blocked the process from running. Further analysis found that a local Minnesota website was compromised and serving the malware. A search was conducted, and, in total, 12 distinct devices had visited the compromised website in the past 30 days (02/07/2024-03/07/2024). No evidence suggests that any compromise of state devices occurred.
Attack Chain
- The user visits a compromised website (ecowaterminnesota.com)
- An embedded script covers the screen and executes a linked malicious script.
- The malicious script contains the SocGholish payload.
- A fake update page is loaded over the screen, prompting the user to download a software update.
- The downloaded file is a JavaScript file often named “update”, “version”, or some other software updated related name.
- The user executes the “update” file, and the malware connects to a Command and Control (C2) server.
- Data is exfiltrated and in some cases, lateral movement or secondary payloads may be executed.