TA569 operates a prolific injection-based operation delivering SocGholish and other payloads, functioning as an initial access broker and potentially a pay-per-install service. The campaigns rely on diverse injections, Traffic Distribution Services, and reinfection (strobing) to evade detection, with defensive recommendations including user education and blocking malicious payload domains. #TA569 #SocGholish #Scriptzzbn #TOAD #NetSupportRAT #PayPerInstall #TrafficDirectingService
Keypoints
- TA569 uses multiple injection varieties (Local, Local Proxied, Remote Proxied) to deliver various payloads via compromised websites.
- SocGholish is the primary JavaScript payload, often delivered as a fake browser update lure that users must execute to run.
- TA569 operates a pay-per-install (PPI) service and may reinject or recollect injections (strobing) on compromised sites.
- Injections are routed through Traffic Distribution Services (TDS) to control delivery, environment targeting, and payload deployment.
- Obfuscation and dynamic payload generation hinder static/dynamic analysis, with Scriptzzbn injections used for other malware alongside SocGholish.
- Prevention involves blocking malicious domains, monitoring and restricting .js execution, and user education about lure tactics.
MITRE Techniques
- [T1189] Drive-by Compromise – The infection chain begins when a user visits a website compromised by a TA569 injection. This could be through clicking on a link delivered via email or visiting a website directly. ‘The infection chain begins when a user visits a website compromised by a TA569 injection…’
- [T1566.002] Phishing: Spearphishing Link – The chain can start via email-delivered links leading to compromised sites. ‘This could be through clicking on a link delivered via email…’
- [T1059.007] JavaScript – The victim’s browser interprets the injected JavaScript and if the environment meets certain criteria, a lure will be presented. ‘The victim’s browser interprets the injected JavaScript and if the environment meets certain criteria, a lure will be presented.’
- [T1071.001] Web Protocols – The SocGholish payload will reach out to the C2 server for further instructions. ‘The SocGholish payload will reach out to the C2 server for further instructions.’
- [T1027] Obfuscated/Compressed Files and Information – SocGholish injections use obfuscation like base64 encoding and reversed strings. ‘SocGholish injections have leveraged a variety of obfuscation routines… base64 encoding portions of the injection, reversing strings…’
- [T1562.001] Impair Defenses – The Traffic Distribution Service provides defense against researchers and bots. ‘The TDS provides defense against researchers and bots.’
- [T1204.002] User Execution – A user must open these files manually for the payload to detonate. ‘A user must open these files manually for the payload to detonate.’
Indicators of Compromise
- [Domain] Shadowed/C2/injection domains – accounts.mynewtopboyfriend.store, active.aasm.pro, and other TA569-related domains
- [IP] TA569/C2 infrastructure – 45.10.42.26, 91.208.197.151, and other TA569-related IPs
- [URI] Injection/landing endpoints – /report?r=dj01MDY1NDg3MTIwZTU2ZmQ1ZTZlNCZjaWQ9MjY0, /s_code.js?cid=230&v=56b0c8d8337c9f44fda2
- [File Hash] NetSupport RAT payloads – 8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64, 23b14288d49610a8eef61977b7fc49a963f1261fe29b1668b4443a04eaf493cb
- [File Hash] NetSupport RAT/ISO hashes – (multiple NetSupport .iso and .exe hashes listed in appendix)
- [Domain] TA569-related domains (TA569 C2 clusters) – adogeevent.com, best.theascent-group.com, ergpractice.com, gloogletag.com
- [IP] TA569-related hosting IPs – 5.42.199.146, 91.228.56.183, 91.213.50.65, 193.149.176.135
- [URL] GitLab references used by TA569 operators – https://gitlab.com/Binayak7/golden, https://gitlab.com/GabrieleWlosinski32/new-good/
Read more: https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond