eSentire’s Threat Response Unit (TRU) has identified a sophisticated cyberattack utilizing SocGholish malware to collect system information and deploy a Python-based backdoor linked to the RansomHub ransomware group. The incident began with a compromised WordPress site tricking the victim into downloading malicious software. The TRU team isolated the affected host and provided recommendations for improving security measures against similar threats. Affected: Organizations, IT Security Sector
Keypoints :
- eSentire operates 24/7 Security Operations Centers staffed by elite professionals.
- TRU team discovered a cyberattack involving SocGholish and a Python backdoor.
- The infection chain initiated through a compromised WordPress site.
- Malware collected system information and enabled intelligent target selection.
- Remediation efforts included isolating the affected host and educating clients.
- Recommendations for security improvements were provided.
MITRE Techniques :
- T1071.001: Application Layer Protocol – The malware communicated with its Command and Control (C2) server through HTTP to exfiltrate data and receive commands.
- T1046: Network Service Discovery – Used ‘net.exe’ and ‘systeminfo’ commands to gather system and network connection data.
- T1210: Exploitation of Remote Services – Initially accessed the target via malicious content offered on an infected WordPress site.
- T1057: Process Discovery – Executed PowerShell commands to enumerate Active Directory servers to gain additional insights into the network.
- T1069: Permission Groups Discovery – Leveraged “Login Data” from browsers to extract sensitive credentials.
Indicator of Compromise :
- [Domain] butterflywonderland[.]com
- [URL] hxxps://exclusive.nobogoods[.]com/updateStatus
- [IP Address] 38.146.28[.]93
- [File] “Update.zip”
- [File] “python3.12.zip”
Full Story: https://www.esentire.com/blog/socket-puppet-how-ransomhub-affiliates-pull-the-strings
Views: 23