The Threat Response Unit (TRU) at eSentire traced a SocGholish infection that began with a fake browser update and led to post-exploitation activities such as credential theft and data exfiltration. The campaign leveraged obfuscated JavaScript, living-off-the-land techniques, and user-interaction monitoring to map victim peers and extend reach. #SocGholish #MoreEggs #Kaseya #eSentire #ThreatResponseUnit
Keypoints
- In April 2024, eSentireβs Threat Response Unit identified and traced hands-on-keyboard activity to a SocGholish infection initiated by a fake browser update.
- The fake update used obfuscated JavaScript to evade detection and establish a foothold in the environment.
- Attackers used living-off-the-land techniques and web beacons in email signatures and network shares to map local and business relationships for targeting peers.
- The infection began when the user visited a compromised website and downloaded a fake Update.js JavaScript file (MD5: 44a0b845b30dcdc26c8017a6714c46e9).
- Post-exploitation included password store extraction from Microsoft Edge and Google Chrome and copying login data to temporary and other user directories for exfiltration.
- Threat actors attempted to retrieve and decrypt browser encryption keys with PowerShell, set up a portable Python environment for payloads, and manipulated Outlook HTML signatures to monitor email opens and enumerate domain users.
MITRE Techniques
- [T1189] Drive-by Compromise β Infection initiated by a fake browser update that loads obfuscated scripts to foothold. βThe fake update used obfuscated JavaScript to evade detection and establish a foothold in the environment.β
- [T1027] Obfuscated/Compressed Files and Information β Obfuscated JavaScript used to evade detection during the initial payload delivery. βThe fake update used obfuscated JavaScript to evade detection and establish a foothold in the environment.β
- [T1555.003] Credentials in Web Browsers β Extraction of saved login data from browser profiles. βThe threat actors extracted saved login data from Microsoft Edge and Google Chrome.β
- [T1059.001] PowerShell β Use of base64-encoded PowerShell commands to retrieve and decrypt browser keys and set up payloads. βNext, the threat actors attempted to run a base64-encoded command via PowerShell.β
- [T1566.002] Phishing: Spearphishing Link β Social engineering via fake updates and modifications to Outlook signatures to monitor email opens. βThe SocGholish intrusion campaign showcased a social engineering approach to first gain entry through fake updates and then initiate a series of scripted actions to extract sensitive data and monitor user interactions.β
- [T1069.001] Domain Groups Discovery β Enumeration of domain users to understand internal group memberships. βlisted the members of the βdomain usersβ group in a domain environment.β
Indicators of Compromise
- [Hash] MD5 β 44a0b845b30dcdc26c8017a6714c46e9
- [Domain] ghost.blueecho88[.]com β C2/script delivery points within the obfuscated URLs
- [IP] 170.130.55.72 β C2 server referenced for resource delivery (Documentation.ico)
- [URL] hxxps://ghost.blueecho88[.]com/XnkKYSVbaQg6WzBTaU0mQy0NbxF8QygRLBxpCTsaYT40ClUHLBZkFTsLeA4sWyZDOwt4DixbMFByW3hDZFtvBy4JbEMj
- [URL] hxxps://ghost.blueecho88[.]com/U5WuWyi3zTI3t5RpZKGCeSDhyytxr4wrIfDNMzb2xQQ55vE9IfrALzbn3DQht4J5NufcNCG3lGl/t9x5abfKNz3wxDAl/cw3NeXXPDG30w==
- [URL] hxxps://ghost.blueecho88[.]com/gcGKZ/rj6Q7l47BVtvWmRfK17xej+6gG76DmHvuk1QHx46ZF8+OwReumqBo=
- [File] Update.js β malicious JavaScript payload
- [File] DefaultLogin Data β browser password store file targeted for exfiltration
- [File] Login Data β browser password data copied and exfiltrated
- [File] logocompany.jpeg β image resource loaded from remote server as part of monitoring
- [File] Documentation.lnk β network share shortcut pointing to C2 resource
- [File] Documentation.ico β icon used in network share shortcut
- [File] 395edg.bin, 396chr.bin β staged credential data components used in exfiltration
- [Temp] C:UsersusernameAppDataLocalTemp*.tmp β log and staging artifacts
Read more: https://www.esentire.com/blog/socgholish-sets-sights-on-victim-peers