Threat Research

Socgholish to Cobalt Strike in 10 Minutes

Securonix

eSentire’s TRU team uncovered Socgholish, a drive-by social engineering threat that delivers a fake software update, leading to quick Cobalt Strike deployment and persistence. The case highlights how drive-by infections can escalate to hands-on-keyboard intrusions within minutes and reinforces defenses like PSAT, EDR, and multi-signal MDR. #Socgholish #CobaltStrike #Solarmarker #GootkitLoader

Keypoints

  • Socgholish is a drive-by social engineering threat delivered via fake software updates during web browsing.
  • Victim executes a script file (Chrome.Quick.Update.ver.103.87.87707.js) believing it is a legitimate browser update.
  • The script contacts a C2 domain and then runs discovery commands using built-in Windows tools.
  • A second script writes a Cobalt Strike DLL masquerading as a VMware binary to disk and loads it via Regsvr32, then persists via the startup folder.
  • The Cobalt Strike host (optiontradingsignal[.]com) is contacted and a second round of discovery followed by a Kerberoasting-like action is observed (per the TRU report).
  • MDR for Endpoint and MDR for Log identified the stages and the SOC triaged and contained the threat.
  • TRU recommendations include PSAT, content review procedures, Windows Attack Surface Reduction, EDR, and a multi-signal MDR approach.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by social engineering threat distributed through fake software updates. ‘Socgholish, a drive-by social engineering threat distributed through fake software updates.’
  • [T1059.007] JavaScript – Script delivered as a .js file executed by the user during the fake update. ‘the victim retrieved and executed a script file (Chrome.Quick.Update.ver.103.87.87707.js) believing it to be a legitimate update for their web browser.’
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscated Socgholish script used during the operation. ‘Figure 1 Snippet of the obfuscated Socgholish script responsible for contacting the C2’
  • [T1218.011] Regsvr32 – Payload loaded via Regsvr32 before persistence. ‘The script launched it using Regsvr32 before adding it to the startup folder for persistence.’
  • [T1547.001] Startup Folder – Persistence achieved by adding the component to the startup folder. ‘adding it to the startup folder for persistence.’
  • [T1036] Masquerading – Cobalt Strike DLL masquerading as a VMware binary. ‘wrote a Cobalt Strike DLL masquerading as a VMware binary to the disk (vgauthservice.dll, ecf77ba093cea883fcc736f4b62f4605).’
  • [T1071.001] Web Protocols – C2 communications with known Cobalt Strike infrastructure. ‘contacted optiontradingsignal[.]com, a known Cobalt Strike host’

Indicators of Compromise

  • [Domain] contextual – tworoadsbrewing[.]com, ca16a9a0[.]official[.]stradlings[.]com, and 1 more domain (optiontradingsignal[.]com) used for payloads/C2
  • [File hash] 14fbf3009f9f37149f408e99cffd4931, ECF77BA093CEA883FCC736F4B62F4605 – Socgholish and Cobalt Strike artifacts
  • [URL] https://ca16a9a0[.]official[.]stradlings[.]com/pixel.png – C2 communication

Read more: https://www.esentire.com/blog/socgholish-to-cobalt-strike-in-10-minutes

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint