SocGholish

10.04.2025 00:00

SocGholish

This writeup was originally produced for internal enterprise documentation and has been stripped of some details.

SocGholish is a well-known malware campaign that masquerades as software updates, typically for browsers, to trick users into downloading malicious files. Often, SocGholish uses compromised websites to accomplish this task. WordPress sites are particularly vulnerable if default configurations are not changed. On February 27th, 2024, an EDR alert lead to the discovery of SocGholish malware on a state device. The EDR solution worked as intended and blocked the process from running. Further analysis found that a local Minnesota website was compromised and serving the malware. A search was conducted, and, in total, 12 distinct devices had visited the compromised website in the past 30 days (02/07/2024-03/07/2024). No evidence suggests that any compromise of state devices occurred.

Attack Chain

The user visits a compromised website (ecowaterminnesota.com)
An embedded script covers the screen and executes a linked malicious script.
The malicious script contains the SocGholish payload.
A fake update page is loaded over the screen, prompting the user to download a software update.
The downloaded file is a JavaScript file often named “update”, “version”, or some other software updated related name.
The user executes the “update” file, and the malware connects to a Command and Control (C2) server.
Data is exfiltrated and in some cases, lateral movement or secondary payloads may be executed.

Infector API

07.04.2025 00:00

Infector API

The infector API (not at all a malicious thing, although it defintely started as a malware delivery system) is a long term project I started on in March. The primary goals were to establish a functional API server written entirely in Rust. Currently, the API server offers several different services, hooks into various technologies including a SQLite database for authentication, and has SSL/TLS support via Let’s Encrypt. In it’s current incarnation, it isn’t entirely ready for deployment. However, I thought this would be a good time to start documenting the journey I’ve taken creating this, and more importantly, what I’ve learned creating it.

Phishing Analysis #1

21.02.2025 00:00 phishing

Phishing Analysis

This article was originally written for internal use. It has been adapted for public release. Some content has been removed. I’ll try and do an actual rewrite at some point.

E-Mail Message

Phishing attacks typically start with either a malicious attachment or malicious domain. For this sample, the phishing event started with a link to a PDF file hosted by Gamma App. Gamma App and other file hosts are often used to serve malicious files. These services often have little to no security measures in place for detecting or preventing malware or phishing.

Remcos v5.3.0

15.01.2025 00:00 Remcos RAT

Reverse Engineering a Remcos RAT 5.3.0 Pro sample

This sample was taken from MalwareBazaar.

I was in the mood to do some malware reversing and came across an HTA sample on Malware Bazaar that seemed interesting. I had recently finished cleaning up some Lumma Stealer infections at work, and I wanted to dig into something that had a little more going on for it. There’s only so many fake captcha pages you can clean up in one day :).

Bypassing EDR constraints via WSL2

08.12.2024 00:00 bypass edr malware python rust

Windows Subsystem for Linux (WSL) is a powerful, native, method for accessing virtualized Linux environments and tools via Windows. With Windows 11, WSL is installed by default. It uses Hyper-V for virtualization and is (mostly) seamlessly integrated into the Windows operating system. Unlike WSL 1 which was a compatibility layer for Linux tools and ELF binaries, WSL 2 is a full-featured virtualized Linux kernel. Enter Endpoint Detection and Response (EDR) tooling. Typically, these tools monitor system processes, events, and other telemetry via installed sensors. These sensors passively monitor events, forwarding them to a central agent where processing, detections, etc happen. Sensors are required to be installed on the operating systems for which they are designed. For example, Linux sensors are required for Linux systems, and Windows sensors are required for Windows systems, and so on. With WSL 1, where the WSL process was simply a layer to provide some compatibility with Linux binaries, most events could be logged and detected from the Windows sensor viewpoint. However, with WSL 2, a fully virtualized Linux kernel, the Windows sensor (and the entire Windows host operating system, to some extent) has no insight into what is occurring or executing, so long as no interactions with the Windows host are made.

Relearning C Part 1 - Windows TCP Server

22.10.2024 00:00 c tcp-server windows

Recently, I was inspired to dive back into C, this time with a Windows focus. I’ve had previous experience with the basics in college, but I spent all that time working in Linux. This time around, I wanted to focus on developing C code for use on Windows. I wanted to start with something familiar, so I went with a simple TCP server. I’ve done several variations of this using other languages, and I’ve done something similar in C targeting Linux. So, I figured that this would be a relatively simple task. In a way it was. I was already familiar with the basics, so it didn’t take long to readjust from a PowerShell/Python mindset back to C, but I also found that documentation outside of MSDN was almost non-existent or, in some cases, was extremely out of date. Maybe I’m just bad at Googling, but where are all of the basics of C in Windows guides!? I found a bunch of TCP servers targeting Linux with socket.h, but I didn’t find easy-to-digest examples of the same thing with WinSock2.h and ws2_32.lib. Also, side note, but the whole #pragma comment(lib, “ws2_32.lib”) thing threw me off my game. I couldn’t figure out why my tests weren’t building at first. Anyway, I thought it would be useful to document my progress with relearning C. Starting with a basic TCP server that accepts messages and sends a canned response back to the client.

PE Files and How to Create a PowerShell PE File Parser

11.07.2024 00:00 github powershell

This is taken from my project Invoke-PEAnalysis.

PE File Types

To begin with, Portable Executable (PE) is the name given to executable images developed for the Windows operating system. Most commonly, you will see these as EXE files. These files are made up of various information sections called headers that describe the functionality and behavior of the executable file. These headers also contain the location of various data in the file. By parsing these headers and data, it is possible to extract pertinent information about the executable without ever running it. This is called Static Analysis. Of course, you can’t see everything an executable does through static analysis. However, you can see what it’s importing from the system, what sort of API calls it’s making, what it’s exporting, and other key details.

The Problem with PowerShell Logging Bypasses

24.06.2024 00:00 logging-bypass malware powershell

Before we start talking about logging bypasses and why they generally suck at bypassing logs, I’ll provide a little context on PowerShell logging and ScriptBlocks.

PowerShell ScriptBlocks are collections of statements or expressions to be executed. These ScriptBlocks are Objects of the System.Management.Automation.ScriptBlock type. They can be invoked, executed with a call operator, or otherwise executed via typical PowerShell methods. ScriptBlock Logging is a policy that logs all script input and the processing of commands, script blocks, and functions.

Using Bitwise NOT operations to obfuscate commands in PowerShell

24.05.2024 00:00 malware powershell

Bitwise NOT commands are often used in PowerShell malware samples to obfuscate commands. A bitwise NOT operation flips all the bits in a given byte sequence.

<# 
Bitwise NOT operations will flip all bits  
As an example, consider the following:

$byte = 00000101 | binary for 5

Performing a bitwise NOT operation flips all of the bits

$byte = 11111010 | binary for -6 (two's complement)

#>

$dec = 5

-bnot $dec # will print out -6

PowerShell

I-S00N leaks

19.02.2024 00:00 china i-s00n

Several days ago, a Github profile allegedly containing leaked documents on the Chinese government’s cyber offensive capabilities was posted. This repository contains multiple chat logs, call records, various images, and other files. Threat intelligence researcher and comfy VTuber, AzakaSekai_ has been translating and sharing information from these files on Twitter and infosec.exchange. VXUnderground has collected various posts from AzakaSekai and deposited them into their collection. So far, it appears that multiple 0 days, hardware devices, and victim lists have been found in the data. I’ve gone through what little I could locally translate and found discussions concerning the sale and demo of at least one 0 day. There are numerous images within the data as well, although all are in Mandarin. Some of these have been confirmed by AzakaSekai to contain victim information. More information can be found at the various links in the post. A backup of the GitHub data is attached. I’ve thrown together an incredibly simple HTML viewer file to read the chat logs. LibreTranslate is a good self-hosted Google alternative that can translate uploaded files.

Previous Page 2 of 3 Next Page