SocGholish, operated by TA569, is a Malware-as-a-Service platform that sells access to compromised systems using deceptive fake browser update lures and Traffic Distribution Systems (TDSs) such as Parrot TDS and Keitaro TDS. Its infrastructure supports various financially motivated threat actors, including Russian groups like Evil Corp (DEV-0243) and UNC2165, and is linked to state-sponsored campaigns like Raspberry Robin associated with Russia’s GRU Unit 29155. #SocGholish #TA569 #KeitaroTDS #ParrotTDS #EvilCorp #RaspberryRobin
Keypoints
- SocGholish operates as a Malware-as-a-Service vendor, selling compromised system access to multiple cybercriminal clients including APT groups.
- It primarily uses deceptive fake browser update pop-ups initiated via JavaScript injections on compromised websites to deliver malware.
- Traffic Distribution Systems like Parrot TDS and Keitaro TDS are leveraged to filter and redirect victims, improving targeting and evasion.
- SocGholish infrastructure features domain shadowing and frequent domain rotation to evade detection and maintain persistence.
- TA569’s customers include Russian cybercriminal groups such as Evil Corp (DEV-0243) and UNC2165, which deploy ransomware using SocGholish access.
- The malware’s infection chain involves multiple staged JavaScript payloads with sophisticated victim filtering based on environment and activity.
- There are connections between SocGholish, Raspberry Robin, Dridex, and state-sponsored threat actors linked to the Russian military’s Unit 29155.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – SocGholish uses JavaScript injections on compromised websites to initiate malware download and execution (‘…script async src=”https://cp[.]envisionfonddulac[.]biz/…’).
- [T1071] Application Layer Protocol – The SocGholish agent communicates with its command and control servers via HTTP POST requests (‘…creates a POST request to a SocGholish Implant C2…’).
- [T1090] Proxy – SocGholish uses proxies for C2 communications routing requests through Tor proxy to hide true command server locations (‘…all requests are routed via a Tor proxy…’).
- [T1030] Data Transfer Size Limits – The malware tracks victim activity via image loads to confirm user actions before delivering payloads (‘…loading an “image” from the C2 to track user’s activity…’).
- [T1110] Brute Force – Filtering for automated browsers using webdrivers (‘…Users who use an automated web browser (using webdriver) get redirected to the first type of payload…’).
- [T1499] Endpoint Denial of Service – Uses techniques like disabling page refresh (F5 key) to prevent victims from leaving fake update page (‘…disables the F5 button’s functionality…’).
- [T1041] Exfiltration Over C2 Channel – The JavaScript stager sends tracking IDs to C2 and executes commands received (‘…creates POST request…sends tracking ID…executes response text…’).
Indicators of Compromise
- [Domains] Related to SocGholish infrastructure and injects – cp[.]envisionfonddulac[.]biz, rapiddevapi[.]com, searchgear[.]pro, download[.]romeropizza[.]com
- [File Names] On-device payloads and stagers – LatestVersion.js, UpdateInstaller.zip, Version.139.3195.25.js (masquerading as browser update files)
- [Scripts] JavaScript injection files and payload URLs – /assets/bootstrap/fonts/getunwashed/admin/view/stylesheet/stylesheet.php, various .php proxies used for loading TDS JavaScript
Read more: https://www.silentpush.com/blog/socgholish/?utm_source=rss&utm_medium=rss&utm_campaign=socgholish