Threat Research

Cyble – NetSupport RAT Distributed Via SocGholish

Securonix

SocGholish is a JavaScript malware framework that uses social engineering toolkits masquerading as software updates to deploy malware on a victim’s system. Threat actors host malicious sites that lure users with fake browser updates, downloading an archive that can install Cobalt Strike, ransomware, information stealers, or RATs. #SocGholish #CobaltStrike #NetsupportRAT #Chrome.Update

Keypoints

  • SocGholish operates as a JavaScript-based framework active since 2017, leveraging social engineering to impersonate software updates.
  • Actors present malicious sites that mimic Chrome/Firefox/Flash Player/Microsoft Teams update prompts to entice users into action.
  • The infection relies on a drive-by-download mechanism via injected HTML and redirects to download malicious archives.
  • Infections can lead to deployment of multiple payloads, including Cobalt Strike, ransomware, information stealers, and RATs.
  • The infection chain centers on a fake Chrome update page and a downloaded archive named “Chrome.Update.zip.”
  • MITRE-style techniques mapped include Drive-by Compromise, User Execution, JavaScript, Startup/Registry persistence, privilege escalation, defense evasion, discovery, and C2 techniques.
  • IOCs include file hashes, URLs to C2 servers, and IP addresses linked to the campaign.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by download via compromised site to install malware. “The infection chain begins once a user visits a compromised website that contains an injected HTML code which redirects them to a fake Chrome browser page to lure them into updating their Chrome application.”
  • [T1204] User Execution – User performs the update action that initiates the payload download. “Once the user clicks the “Update” button on the fake page, an archive file named “Сhrome.Updаte.zip” is downloaded and saved in the “Downloads” folder.”
  • [T1059] Command and Scripting Interpreter – JavaScript and PowerShell are used during execution. “Execution: JavaScript PowerShell”
  • [T1547] Persistence – Registry Run Keys / Startup Folder to maintain presence. “Persistence – Registry Run Keys / Startup Folder”
  • [T1574] DLL Side-Loading and [T1055] Process Injection – Privilege escalation techniques used to elevate privileges. “DLL Side-Loading Process Injection”
  • [T1027] Obfuscated Files or Information – Obfuscation to evade detection. “Obfuscated Files or Information”
  • [T1497] Virtualization/Sandbox Evasion – Evasion to avoid analysis. “Virtualization/Sandbox Evasion”
  • [T1140] Deobfuscate/Decode Files or Information – Deobfuscation/Decoding steps to recover payloads. “Deobfuscate/Decode Files or Information”
  • [T1082] System Information Discovery – Gather system information as part of reconnaissance. “System Information Discovery”
  • [T1219] Remote Access Software – Use of remote access tools for control. “Remote Access Software”
  • [T1105] Ingress Tool Transfer – Transfer of tools from external sources. “Ingress Tool Transfer”

Indicators of Compromise

  • [MD5/SHA1/Sha256] Archive file “Сhrome.Updаte.zip” – d5812e63327b5f5491c1a55c74737540, 0af611819cd098c1ff3942431fc327dc75b83344, bad65408eb581fe39ded2637473bd4458b03e183ecc03164d6f8cf683a3e408e
  • [MD5/SHA1/Sha256] Archive file “Сhrome.Updаte.zip” – dc123142cb787d395814027ff4046842, f4aaa317e23fb5446fc29fdbabfa4f0fc7090f59, 520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61
  • [MD5/SHA1/Sha256] JavaScript file “AutoUpdater.js” – 606df8a69873fcc00754a6bb245ab5ae, 6842a4b32aa6a80c75bed4cdf09235c9a5f7e87b, 6f0fac3b955e63f25bd199ec373c677152212fceda20d8bc6672cf62e68482e8
  • [MD5/SHA1/Sha256] JavaScript file “AutoUpdater.js” – eca593e95d2e919fb4b5f55b62b663df, 406d6f811df8c0f9a16a36117be6772f25fcb214, 1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d
  • [MD5/SHA1/Sha256] PS1 file “15.ico.ps1” – dad848c52d27ed20002825df023c4d7c, 48e49867904d83b35361d6c5f809d16bc251f334, 4a59ac7ae76abb86ab2e035adbe5253247a2aad9b1ce9f59b3145333e34c26f7
  • [MD5/SHA1/Sha256] EXE file “whost.exe” – 252dce576f9fbb9aaa7114dd7150f320, c07f0a02c284b697dff119839f455836be39d10e, b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
  • [URL] C2 server – hxxp://aeoi[.]pl/15.ico, hxxp://aeoi[.]pl/21.ico
  • [IP] C2 server – 149.248.8.148, 94.158.247.32

Read more: https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish/