Threat Research

Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload

Securonix

Trend Micro’s Managed XDR team uncovered a campaign where SocGholish drops a BLISTER loader that in turn delivers the LockBit ransomware, highlighting layered evasion and loader-to-beacon chaining. The investigation details how these loaders operate together, the dropper sequence, and the indicators that allowed early containment to prevent payload delivery.
#BLISTER #SocGholish #LockBit #CobaltStrike #Emotet #Dridex

Keypoints

  • The campaign combines SocGholish’s browser-based drive-by infection with the newer BLISTER loader to deliver LockBit payloads.
  • SocGholish performs a drive-by download from compromised sites, delivering obfuscated JavaScript (Chrome.Update.1313a9.js) that requires user execution to proceed.
  • The JavaScript establishes C2 communications and runs discovery commands to enumerate the victim environment before proceeding.
  • BLISTER acts as a second-stage loader, sometimes embedding Cobalt Strike or other tools, and uses evasion techniques to avoid detection.
  • Dropper chain includes a NullSoft-created ssql.exe dropper, which deploys wimgapi.dll and loads shell code in memory to execute Cobalt Strike beacons.
  • Post-exploitation actions include killing AV processes, stopping key services, updating GPO, creating startup tasks, and clearing Windows logs.
  • IOC signals include a C2 IP tied to Emotet/Dridex infrastructure and a domain used by the C2 (sikescomposite[.]com).

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by download from a compromised site delivers a malicious file. Quote: ‘The user had unknowingly accessed a compromised legitimate website, which prompted a drive-by download of a malicious file into their system.’
  • [T1204.002] User Execution – User execution is required to proceed with the malicious script. Quote: ‘Thankfully, user execution is still required for this threat to proceed.’
  • [T1071.001] Web Protocols – The malware connects to a C2 domain to receive commands. Quote: ‘connect to its command-and-control (C&C) domain and deploy several discovery commands to gather information regarding the system.’
  • [T1087] Account Discovery – Discovery commands enumerate user/domain information (e.g., net group “domain admins” /domain). Quote: ‘net group “domain admins” /domain >> “C:UsersvictimAppDataLocalTemprad613A2.tmp”
  • [T1059.003] Command-Line Interface – The threat executes a series of commands via cmd.exe. Quote: ‘C:WindowsSystem32cmd.exe” /C net group “domain admins” /domain >> “C:UsersvictimAppDataLocalTemprad613A2.tmp”‘
  • [T1550.002] Pass the Hash – Privilege escalation through pass-the-hash. Quote: ‘pass-the-hash for privilege escalation’
  • [T1055] Process Injection – The payload is injected into a legitimate process (e.g., werfault.exe). Quote: ‘injection into a legitimate process such as werfault.exe’
  • [T1105] Ingress Tool Transfer – The Cobalt Strike beacon is downloaded and executed. Quote: ‘downloads and executes the Cobalt Strike beacon’
  • [T1021] Lateral Movement – Lateral movement by dropping Cobalt Strike copies into remote machines. Quote: ‘Lateral movement via dropping Cobalt Strike copies into remote machines’
  • [T1218] Signed Binary Proxy Execution – Use of legitimate binaries (Rundll32.exe) to proxy execution. Quote: ‘the sample wimgapi.dll and the file %User Startup%TermSvc.lnk, which executes the aforementioned dropped copy (Rundll32.exe)’
  • [T1116] Code Signing – Use of valid code signing certificates to persist. Quote: ‘Use of valid code signing certificates to persist in the system’
  • [T1497] Virtualization/Sandbox Evasion – Delays code execution to evade sandbox detection. Quote: ‘delay of code execution for 10 minutes to evade sandbox detection’
  • [T1562.001] Impair Defenses – KillAV used to disable antivirus agents. Quote: ‘KillAV used by the LockBit ransomware group to try to stop antivirus agents’

Indicators of Compromise

  • [IP Address] 198.71.233.254 – C2 address linked to Emotet/Dridex campaigns and multiple JavaScript C2 domains. Context: used by the C2 infrastructure mentioned in the article.
  • [Domain] sikescomposite[.]com – C2 domain that the shellcode connects to. Context: mentioned as the URL for shell code communication.
  • [File] Chrome.Update.1313a9.js – Obfuscated JavaScript dropped by SocGholish. Context: dropped in the malicious ZIP.
  • [File] download.1313a9.zip – ZIP package containing the malicious JavaScript dropper. Context: path in the victim Downloads folder.
  • [File] wimgapi.dll – DLL loaded in memory and decryption/execution of shell code. Context: loaded by wimgapi.dll during infection chain.
  • [File] ssql.exe – NullSoft dropper used to deploy BLISTER loader. Context: dropper file name in the chain.
  • [File] TermSvc.lnk – Startup shortcut that executes the dropped copy. Context: triggers persistence actions.
  • [File] Rundll32.exe – Legitimate system executable used to proxy execution of dropped components. Context: part of the execution chain.

Read more: https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html