SocGholish operators have significantly expanded and diversified their malware staging infrastructure since mid-2022, adding about 18 new second-stage servers per month to counter defenders and scale operations. The majority of these new servers are in Europe (notably the Netherlands, the United Kingdom, and France), and the campaigns contaminate legitimate websites via injected JavaScript that loads a second-stage script and then downloads the SocGholish payload masquerading as a software update. Hashtags: #SocGholish #EvilCorp #WastedLocker #CobaltStrike #NetSupport #DomainShadowing #Netherlands
Keypoints
- SocGholish has been diversifying and expanding its malware staging infrastructure since mid-2022, averaging 18 new second-stage servers per month (a 334% increase from early 2022).
- The bulk of new servers are located in Europe, with the Netherlands, the United Kingdom, and France leading.
- The framework uses social engineering and drive-by downloads to deliver payloads masquerading as legitimate updates after infecting websites via injected JavaScript.
- Second-stage server URLs are obfuscated with single or double Base-64 encoding to hide communications with the payload.
- Two forms of second-stage URLs exist: /s_code.js?cid=[n]&v=[string] and /report?r=[string], where r is a Base-64-encoded version of cid and v.
- Domain shadowing is used to host many second-stage servers under compromised domains to evade detection and takedown; an AWS CloudFront example is observed, signaling potential cloud infrastructure use.
- Post-compromise activity includes reconnaissance, persistence, and deployment of tools and malware such as Cobalt Strike, NetSupport, and WastedLocker (linked to EvilCorp).
MITRE Techniques
- [T1189] Drive-by Compromise – The JavaScript code loads another script from a second-stage server that triggers the download of the SocGholish payload, which in turn masquerades as a legitimate system or software update. “The JavaScript code loads another script from a second-stage server that triggers the download of the SocGholish payload, which in turn masquerades as a legitimate system or software update.”
- [T1059.007] JavaScript – Infected legitimate websites by injecting malicious JavaScript code into them. “In recent attack campaigns, SocGholish operators have infected legitimate websites by injecting malicious JavaScript code into them.”
- [T1027] Obfuscated/Compressed Data – The SocGholish operators obfuscate the URL to the second-stage server using single or double Base-64 encoding. “The JavaScript code loads another script from a second-stage server… obfuscate the URL to the second-stage server using single or double Base-64 encoding.”
- [T1071.001] Web Protocols – The second-stage URLs are delivered via web protocols used for C2, including encoded forms that decode to actual URLs. “There are currently two forms of URLs to second-stage SocGholish servers in circulation… r is a Base-64 encoded version of the URL portion cid=[number]&v=[string].”
- [T1583.003] Domain Shadowing – Domain shadowing allows the SocGholish operators to abuse the benign reputations of the compromised domains and make detection more difficult. “Domain shadowing allows the SocGholish operators to abuse the benign reputations of the compromised domains and make detection more difficult.”
- [T1583.004] Cloud Infrastructure – Use of Amazon Web Services domain for a second-stage server (example: d2j09jsarr75l2.cloudfront.net). “A recent exception to the use of domain shadowing is a second-stage server hosted on the Amazon Web Services domain d2j09jsarr75l2.cloudfront.net.”
- [T1105] Ingress Tool Transfer – Deployment of additional tools and malware after gaining access, including remote-access tools such as Cobalt Strike and NetSupport. “This includes tools for remote access, such as Cobalt Strike and NetSupport, and ransomware, such as WastedLocker, which has been attributed to the threat actor EvilCorp.”
Indicators of Compromise
- [Domain] Second-stage hosting domains – track.positiverefreshment[.]org, hemi.mamasbakery[.]net
- [Domain] Cloud infrastructure domain – d2j09jsarr75l2[.]cloudfront.net
- [URL] Second-stage URLs – hxxp://track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba, hxxps://hemi.mamasbakery[.]net/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy