Ransomware campaigns increasingly use the SocGholish loader, infecting websites and delivering malware via fake browser updates. This enables credential theft through legacy protocols and spreads ransomware like RansomHub, enhancing early lateral movement and persistence. (Affected: corporate networks, CMS-based websites, ransomware sectors)
Keypoints :
- Ransomware affiliates rely on SocGholish loader campaigns for initial access.
- SocGholish infects outdated CMS sites by injecting malicious JavaScript.
- Victims are tricked by fake browser update pages to download JavaScript loaders.
- Keitaro TDS domains are used to distribute obfuscated SocGholish payloads.
- Post-infection activities include credential theft using WebDAV and SCF files exploiting NTLM authentication.
- Attackers leverage forced authentication to capture NTLM hashes both internally and externally.
- SocGholish establishes command-and-control communication over HTTPS and utilizes port-hopping for evasive C2 traffic.
- RansomHub ransomware affiliates deploy Python-based backdoors post SocGholish infection.
- Early lateral movement is facilitated by planting malicious SCF files on SMB network shares.
- Detection of these attacks involves monitoring anomalous SMB activity, outbound connections to rare endpoints, and unusual authentication traffic.
MITRE Techniques :
- Forced Authentication (T1187) – Exploiting default Windows behavior to capture NTLM hashes via WebDAV and SCF files.
- Brute Force (T1110) – Attempts to crack passwords offline using harvested credentials.
- Command and Control: Web Protocols (T1071.001) – Using HTTPS for malware C2 communication.
- Command and Control: Non-Standard Port (T1571) – Using port-hopping to evade network detection.
- File and Directory Discovery (T1083) – Searching for files and folders for lateral movement.
- Remote System Discovery (T1018) – Identifying network services and shares.
- Network Service Discovery (T1046) – Scanning network for accessible services like SMB.
- Network Share Discovery (T1135) – Locating SMB shares to deposit malicious SCF files.
- Execution: JavaScript (T1059.007) – Running malicious JavaScript from infected sites.
- SMB/Windows Admin Shares (T1021.002) – Using SMB shares for lateral movement.
- Drive-By Compromise (T1608.004) – Infecting victims via browser drive-by downloads.
Indicator of Compromise :
- The article presents compromised websites (e.g., garagebevents[.]com – 35.203.175[.]30) used to deliver SocGholish via injected malicious JavaScript.
- Keitaro TDS domains (packedbrick[.]com, rednosehorse[.]com, blackshelter[.]org) serve as payload repositories for loaders.
- External IP endpoints such as 161.35.56[.]33 are linked to credential harvesting via WebDAV and SCF techniques.
- Connections to RansomHub-related command-and-control IPs (e.g., 185.174.101[.]240) over varying ports indicate active malware communication.
- Sample IOCs include rare domain names, malicious hashes (implied for JavaScript loaders and Python backdoors), specific IP addresses, and uncommon network port usage for C2.
Read more: https://darktrace.com/blog/anomaly-based-threat-hunting-darktraces-approach-in-action
Views: 33