Socgholish

Malware Profile Updated 6 days ago
Download STIX
Preview STIX
SocGholish is a malicious software (malware) known for its ability to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, in 2023, several distinct website malware campaigns were identified to serve SocGholish malware. One significant instance was the SocGholish malware injection, which accounted for over 17.66% of injections in the first half of 2023. A unique feature of SocGholish infections is their method of impersonating legitimate browser updates to distribute Remote Access Trojans, often undetected by users. These infections have been observed on compromised websites, with around ten malicious JavaScript files containing Parrot TDS injections leading to the deployment of SocGholish payloads. The malware's broad impact was further highlighted by a second set of attacks that utilized SocGholish as a downloader capable of dropping additional executables. This capability has led to increased concern among cybersecurity experts due to the potential for escalated harm. In late 2022, Microsoft noted that SocGholish was part of a complex and interconnected malware ecosystem linked to other malware families like Cobalt Strike, IcedID, BumbleBee, and Truebot. The subsequent payloads of SocGholish, along with Qbot and Raspberry Robin, were often delivered via initial access brokers who would later pass off access to separate ransomware operators. In a recent development, researchers have observed a surge in SocGholish infections targeting WordPress websites through compromised administrator accounts. These infections are particularly insidious as they impersonate WordPress plugins, thereby gaining trust and access to sensitive information. Such innovative tactics underscore the evolving nature of SocGholish and the increasing importance of robust cybersecurity measures to combat such threats. As the malware continues to adapt and evolve, it's crucial to stay informed about its latest manifestations and the best practices for prevention and mitigation.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Evil Corp
4
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
Fakeupdates
4
FakeUpdates, also known as SocGholish, is a JavaScript-based loader malware that primarily targets Microsoft Windows-based environments. The malware has been in operation for over five years and uses compromised websites to trick users into running a fake browser update. In addition to its deceptive
Ta569
3
TA569 is a malware distributor that has been utilizing fake browser updates for over five years to deliver the SocGholish malware, according to cybersecurity firm Proofpoint. The threat actor has employed various methods to direct traffic from compromised websites to their controlled domains. In one
Clearfake
3
ClearFake is a malicious software that has been identified as a fake browser update activity cluster, compromising legitimate websites with harmful HTML and JavaScript. The malware was first observed by Proofpoint in early April, employing a cut-and-paste technique for its delivery. ClearFake's camp
EXOTIC LILY
2
Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m
Fakesg
2
FakeSG is a recently identified malware that uses sophisticated obfuscation and delivery techniques, making it a serious threat. The malware mimics the notorious SocGholish distribution campaign, hence its name - "FakeSG". It has different browser templates, altering its appearance based on the vict
Blister
1
Blister is a malicious software (malware) designed to exploit and damage computer systems or devices. This malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once it gains access, it can steal personal information, disrupt operations, or
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Ransomware
Payload
Cybercrime
Trojan
Malwarebytes
Wordpress
Downloader
Loader
Malware Loader
Phishing
Reconnaissance
Magento
Trellix
Chrome
Exploit
Ddos
Loader Malware
Dropper
Worm
Evasive
Proxy
Mastodon
Espionage
Bot
Windows
JavaScript
Source
Proofpoint
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Raspberry RobinUnspecified
3
Raspberry Robin is a sophisticated malware that has been designed to exploit and damage computer systems. This malicious software infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, Raspberry Robin can steal personal information, di
Netsupport RatUnspecified
3
NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
WastedLockerUnspecified
3
WastedLocker is a type of malware developed by the Evil Corp Group, known for its malicious activities. This malware variant was first identified in 2020 and is part of an evolution of ransomware that began with Dridex, followed by DoppelPaymer developed in 2019, and then WastedLocker. The malware i
NetsupportUnspecified
2
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
AsyncRATUnspecified
2
AsyncRAT is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Once the executable loads http_dll.dll, the DL
QakBotUnspecified
2
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
HiveUnspecified
1
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
Balada InjectorUnspecified
1
Balada Injector is a type of malware known for its ability to steal information from wp-config.php files, primarily targeting WordPress websites. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can cause significant damage by disrupting operations, s
BaladaUnspecified
1
Balada is a malicious software (malware) involved in an extensive ongoing campaign, primarily targeting vulnerabilities in WordPress plugins and themes. During the first half of 2023, SiteCheck detected a total of 60,697 obfuscated script injections attributed to Balada Injector, accounting for 15.6
MagecartUnspecified
1
Magecart is a consortium of malicious hacker groups known for their attacks on online shopping cart systems, specifically the Magento system, with the intent to steal customer payment card information. This malware, short for malicious software, can infiltrate systems through suspicious downloads, e
Netsupport ManagerUnspecified
1
NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once
SolarmarkerUnspecified
1
SolarMarker, also known as Yellow Cockatoo, Polazert, and Jupyter Infostealer, is a sophisticated malware designed to steal information. It has been evolving since 2020 and has been active in various campaigns since 2021. The malware relies heavily on web delivery, using search engine optimization (
TruebotUnspecified
1
Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
ZLibUnspecified
1
Zlib is a known malware, a harmful program designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can cause significant damage, including stealing personal information, disrupting opera
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
LokibotUnspecified
1
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
QbotUnspecified
1
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
DridexUnspecified
1
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
GootloaderUnspecified
1
GootLoader is a potent malware that forms part of the GootKit malware family, which has been active since 2014. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Its primary targets are professionals working in law firms
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
VextrioUnspecified
2
VexTrio, a large cyber threat distributor, has been identified as a significant traffic broker for cybercriminals, according to Check Point Research's January 2024 Most Wanted Malware report. The entity operates one of the most extensive HTTP-based Traffic Direction System (TDS) networks, with an in
Dridex GangUnspecified
1
None
RansomhubUnspecified
1
RansomHub, a threat actor known for executing actions with malicious intent, has recently been linked to several high-profile cyber-attacks. The group is recognized for its ransomware attacks, which have resulted in significant data breaches at multiple companies. Christie, a prominent organization,
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Socgholish QakbotUnspecified
1
None
Raspberry Robin Raspberry RobinUnspecified
1
None
Source Document References
Information about the Socgholish Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a day ago
SocGholish malware used to spread AsyncRAT malware
BankInfoSecurity
3 months ago
Raspberry Robin Morphs, Now Spreads via Windows Script Files
CERT-EU
4 months ago
Cloud Account Attacks Surged 16-Fold in 2023
Checkpoint
5 months ago
4th March – Threat Intelligence Report - Check Point Research
CERT-EU
5 months ago
New Wave of SocGholish Infections Impersonates WordPress Plugins | Antivirus and Security news
Malware-traffic-analysis.net
5 months ago
Malware-Traffic-Analysis.net - 2024-02-21 - Parrot TDS --> SocGholish --> AsyncRAT infection
CERT-EU
5 months ago
Web3 Crypto Malware: Angel Drainer - From Phishing Sites to Malicious Injections
BankInfoSecurity
6 months ago
Malicious Traffic Distribution System Spotted by Researchers
DARKReading
6 months ago
'VexTrio' TDS: The Biggest Cybercrime Operation on the Web?
CERT-EU
6 months ago
The Dangers of Lateral Movement & Website Cross Contamination
CERT-EU
6 months ago
December 2023's Most Wanted Malware : The Resurgence of Qbot and FakeUpdates – Global Security Mag Online
CERT-EU
7 months ago
MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer
CERT-EU
7 months ago
MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer
CERT-EU
7 months ago
Kaspersky crimeware report: FakeSG, Akira and AMOS
CERT-EU
8 months ago
Increasingly prevalent NetSupport RAT infections reported
CERT-EU
8 months ago
NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors
CERT-EU
8 months ago
New Email Course: Common Website Threats & Malware
CERT-EU
9 months ago
FakeUpdateRU Chrome Update Infection Spreads Trojan Malware | Antivirus and Security news
CERT-EU
9 months ago
Week in review: Cybersecurity cheat sheets, widely exploited Cisco zero-day, KeePass-themed malvertising - Help Net Security
CERT-EU
9 months ago
Malware-dropping browser updates soaring in popularity