Editor’s note: Dean Murphy, Brandon Tirado, and Joseph Morales all contributed to this blog.

The “SocGholish” (aka FakeUpdates) malware distribution framework has presented a gripping tale of intrigue and suspense for ReliaQuest this year. Just in January, we’ve identified and responded to two discrete “hands-on-keyboard” intrusions traced back to a SocGholish compromise. We contained both intrusions by preventing what looked like the threat actor’s primary objective: deploying ransomware.

Think of SocGholish as, primarily, a preliminary foothold to provide access for additional cyber-crime groups. With these two intrusions, we found overlapping artifacts suggesting that the compromises are sourcing from the same threat actor. During our investigations network telemetry was found belonging to Evil Corp infrastructure, possibly indicating their involvement in this. Read on to find out what else we observed in this page-turner of an assessment.

What Is SocGholish?

Let’s start with a bit of story exposition. The SocGholish malware distribution network employs social engineering and drive-by compromise to drop malware on endpoints. It deceives individuals into downloading a fake update (as seen below) that contains an archive file with an embedded SocGholish JavaScript payload.

Once executed, the JavaScript payload establishes a command-and-control (C2) channel to relay system information it’s gathered from the compromised endpoint. If the host is found to be domain joined (a method companies use to manage Active Directory users), additional discovery commands are provided and executed to collect more details. If the endpoint and its host environment pique the interest of the threat actor operating the campaign, Cobalt Strike or similar frameworks are typically deployed for post-exploitation objectives.

Figure 1: SocGholish fake update link

Figure 1: SocGholish fake update link

Notable Findings: Network

Telemetry sources for our investigations into these events rely on information fed into GreyMatter by our customers. This gives us increased visibility, unifies disparate workflows, and allows quicker responses to active intrusions.

Learn more about GreyMatter >

A SocGholish compromise depends on user interaction. In the intrusions we tackled, we found evidence of users operating on our beachheads, interacting with a compromised domain belonging to a large transportation service company. (A beachhead refers to the original host that was compromised.) By inspecting its HTML DOM, we found that the site was loading JavaScript content hosted at “taxes[.]rpacx[.]com.”; HTML DOM represents the structure of the website. It was hosting the stage 2 SocGholish payload: the fake update.


Figure 2: SocGholish site details


Figure 3: SOCGholish HTML DOM

Once a site visitor initiated the download of the fake update, an archive file was dropped on the end user’s hard disk. And lurking in that file was a JavaScript payload, named “Update.js”. These intrusions were asynchronous, but similar payloads with the same naming convention were delivered from the same infrastructure.

When the user clicked on the JavaScript payload, Windows Script Host (wscript.exe) sprang into action to execute it. Execution of a payload established C2 with a stage 3 site. In these intrusions sets, the stage 3 sites were:


These connections were used to receive further instruction and relay the outputs of initial discovery commands staged in TXT files, located at the filepath AppData\Local\Temp\.

When reviewing the IP addresses hosting the stage 3 domains, we discovered another commonality. Both domains resolved to the same IP address: The VirusTotal passive DNS entry for this IP address showed various subdomains being used.

We also found similar payloads tied to that IP address. We used the following VirusTotal intelligence query:

type:js AND name:update.js AND contacted_ip:

The query revealed 12 JavaScript files that—based on the information above—we feel very confident are tied back to this larger SocGholish campaign.


Figure 4: VirusTotal Intelligence Query


Figure 5: Passive DNS replications for 88.119.169[.]108

Shortly after the initial compromises, the threat actor used the SocGholish C2 channels to transfer a Cobalt Strike HTTPS beacon to the compromised hosts. Intrusion set 1 showed that the HTTPS beacon established a C2 channel with the C2 server change-land[.]com (31.184.254[.]115). These were the initial signals identified by the ReliaQuest Threat Hunting team that prompted a response. As it turns out, the domain belongs to a cluster of infrastructure that we feel moderately confident is used by the notorious Evil Corp cyber-crime syndicate.

The remaining artifacts observed relate to Intrusion set 1. Due to a combination of a swift response and a dormant threat actor in Intrusion set 2, no additional post-exploitation initiatives were carried out following the HTTP beacon executing.

With the HTTPS beacon executing, additional information discovery efforts took place and enabled the threat actor to start attempting to move laterally. In this intrusion set, the threat actor seemed to favor an interactive session, making use of remote desktop protocol (RDP) and a valid admin account to pivot to a server on the network. Success led to even more discovery efforts from this endpoint. Of those discovery efforts, most were “textbook” ransomware affiliate operations, but one operation stood out.

Notable Findings: Endpoint

The Windows Management Instrumentation Command-line (WMIC) was used to connect to a domain controller to execute this command:

"wmic /node:redacted.remote.host process call create 'wevtutil epl Security C:\\programdata\\redacted.evtx /q:Event[System[(EventID=4776)]]

This command uses wevtutil to retrieve the Windows Security Event ID 4776 (the domain controller attempted to validate the credentials for an account) logs from the domain controller and store the output within this drive: C:\programdata\redacted.evtx.

Typically, we’ve observed wevtutil used for defense evasion, but something else seems afoot here; it was used for discovery objectives, although—at the time of writing—we haven’t found any other public reporting of this utility being used maliciously in this way.

The plotline ebbed a bit at this point, as activity ceased for roughly three days. It resumed with this attacker’s Windows binary of choice: WMIC, used to execute the following command to disable Windows RestrictedAdmin Mode.

process call create cmd /c reg add hklm\\System\\CurrentControlSet\\Control\\LSA /f /v disablerestrictedadmin /t REG_DWORD /d 0

This feature, when enabled, prevents credentials used to connect to a remote system via RDP from being stored in memory. With the attacker seen disabling RestrictedAdmin Mode on the endpoint they were operating on, we inferred that they were looking to intercept the credentials of those who would RDP to this device in the future. Access to the credential owners’ password hashes could help facilitate a “pass the hash” attack via RDP: stealing a “hashed” user credential to create a new user session on the same network.

On an adjacent host, we observed WMIC being used to execute a PowerShell download cradle; the following command was run to pull down and execute the UrbanBishop module of PowerSharpPack, which was hosted in a GitHub repository.

; PowerSharpPack -UrbanBishop -Command '-i 9876 -p' CC:\programdata\ch.tmp'.

The intent of this specific activity is strange, as previous evidence showed that the threat actor was making use of their Cobalt Strike HTTP beacon. Why the attacker decided to perform ingress tool transfer for an additional way to perform process injection has been inconclusive at this time.

And that’s the end of the saga; after this point, the intrusion was contained, and the threat actor evicted from the customer’s environment.


SocGholish is well practiced in such plotlines: disguising fake updates and tricking browser or system users into malicious downloads. In other words, don’t take it lightly. As demonstrated by the events above, a SocGholish infection can lead to a much more severe situation than just an infected endpoint. We’re highly confident that the attacker’s final objective was to deploy ransomware, based on their techniques, infrastructure ties to Evil Corp, and intelligence on previous intrusions that started with SocGholish.

The ReliaQuest GreyMatter security operations platform empowers customers to investigate, detect, and respond to the threats that matter most. The platform increases visibility to help you get the most out of your existing security investments and reduces the complexity of the DIR lifecycle. This ultimately allows ReliaQuest and our customers to efficiently counter known and emerging threats. We provide customers with detection capabilities and actionable intelligence to hinder the implications of a SocGholish infection. Here are some agnostic recommendations for any environment to help combat this threat:

Configure a GPO to set Notepad as the default application to open JavaScript files. This can help prevent the execution of JavaScript payloads if users click on them.

Ensure effective logging is in place to identify the initial compromise and any subsequent implications. This telemetry should be shipped to a centralized logging platform to enable detection capabilities.

  • Endpoint telemetry, in particular, is vital. Events such as process execution (with command line), registry modification, and file modifications are a good place to start. These logs will help.
  • Network telemetry (firewall, netflow, forward proxy, etc.) is also important. These logs, paired with threat intelligence, can help identify traffic to known compromised sites delivering SocGholish payloads as well as the C2 infrastructure used after a breach.

Train staff to identify social engineering tactics employed on the web. SocGholish uses social engineering to prompt Internet users to download fraudulent browser or system upgrades.

  • Launch a channel for employees to report social engineering attempts they’ve spotted (or fallen for).
  • Supply employees with trusted local or remote sites for software updates.

IoC Collection

  • taxes.rpacx[.]com (SocGholish stage 2 domain)
  • *.signing.unitynotarypublic[.]com (SocGholish C2 domain)
  • *.asset.tradingvein[.]xyz (SocGholish C2 domain)
  • 88.119.169[.]108 (SocGholish C2 IP)
  • change-land[.]com (Cobalt Strike C2)
  • 31.184.254[.]115 (Cobalt Strike C2)