Socgholish

Malware updated 2 months ago (2024-08-22T21:18:29.381Z)

Download STIX

Preview STIX

SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsoft identified SocGholish as part of an interconnected malware ecosystem, acting as a precursor to various other malware families including Cobalt Strike, IcedID, BumbleBee, and Truebot. The attack chain of SocGholish typically involves a malicious JavaScript file that downloads further stages of the malware. In 2023, SocGholish accounted for over 17.66% of malware injections, making it one of the most widely spread malwares. It was employed in several distinct website malware campaigns, causing massive website infections. Notably, SocGholish was not only used to compromise systems but also as a delivery mechanism for other malwares like AsyncRAT. Huntress researchers observed this JavaScript downloader malware, also known as FakeUpdates, being used to deliver the remote access trojan AsyncRAT and even legitimate open-source projects like BOINC (Berkeley Open Infrastructure Network Computing Client). As of mid-2024, SocGholish continues to be a significant threat in the cyber landscape. According to a report by Red Canary, it was ranked as the sixth most prevalent malware in the wild, tied with Lumma and the ubiquitous Cobalt Strike. This highlights the ongoing risk posed by SocGholish and its adaptability to serve as a vehicle for delivering other harmful software, demonstrating the importance of robust cybersecurity measures to protect against such threats.

Description last updated: 2024-08-22T21:15:59.570Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Fakeupdates is a possible alias for Socgholish. FakeUpdates, a malicious software (malware), has become increasingly prevalent in recent years. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can disrupt operations, steal personal information, or hold data hostage for ransom. In 2022, a	5
Evil Corp is a possible alias for Socgholish. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybe	4
Clearfake is a possible alias for Socgholish. ClearFake is a malicious software (malware) that has been identified as a significant threat to computer systems, specifically targeting macOS through an information stealer known as AMOS. This malware operates by compromising legitimate websites with harmful HTML and JavaScript, masquerading as a f	3
Ta569 is a possible alias for Socgholish. TA569 is a malware distributor that has been utilizing fake browser updates for over five years to deliver the SocGholish malware, according to cybersecurity firm Proofpoint. The threat actor has employed various methods to direct traffic from compromised websites to their controlled domains. In one	3
EXOTIC LILY is a possible alias for Socgholish. Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m	2
Fakesg is a possible alias for Socgholish. FakeSG is a recently identified malware that uses sophisticated obfuscation and delivery techniques, making it a serious threat. The malware mimics the notorious SocGholish distribution campaign, hence its name - "FakeSG". It has different browser templates, altering its appearance based on the vict	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Ransomware

Payload

Downloader

Cybercrime

Trojan

Loader

Malware Loader

Malwarebytes

Wordpress

JavaScript

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Netsupport Rat Malware is associated with Socgholish. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations	Unspecified	3
The Raspberry Robin Malware is associated with Socgholish. Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obs	Unspecified	3
The WastedLocker Malware is associated with Socgholish. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utili	Unspecified	3
The Netsupport Malware is associated with Socgholish. NetSupport is a legitimate remote access software that has been exploited as a malware tool by various threat actors. It's often used in combination with other malicious software like BlackBasta Ransomware, IcedID, and occasionally Lumma Stealer, the most common infostealer in the world today. The m	Unspecified	2
The QakBot Malware is associated with Socgholish. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includin	Unspecified	2
The AsyncRAT Malware is associated with Socgholish. AsyncRAT is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. It has recently risen to prominence, ra	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Vextrio Threat Actor is associated with Socgholish. VexTrio, a large cyber threat distributor, has been identified as a significant traffic broker for cybercriminals, according to Check Point Research's January 2024 Most Wanted Malware report. The entity operates one of the most extensive HTTP-based Traffic Direction System (TDS) networks, with an in	Unspecified	2

Source Document References

Information about the Socgholish Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	Infostealers Waltz Through macOS to Grab Crypto Wallets, Browser Creds
Securityaffairs	2 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	2 months ago	security-affairs-malware-newsletter-round-5
DARKReading	9 months ago	Millions at Risk As 'Parrot' Web Server Compromises Take Flight
Securityaffairs	3 months ago	SocGholish malware used to spread AsyncRAT malware
BankInfoSecurity	6 months ago	Raspberry Robin Morphs, Now Spreads via Windows Script Files
CERT-EU	7 months ago	Cloud Account Attacks Surged 16-Fold in 2023
Checkpoint	7 months ago	4th March – Threat Intelligence Report - Check Point Research
CERT-EU	8 months ago	New Wave of SocGholish Infections Impersonates WordPress Plugins \| Antivirus and Security news
Malware-traffic-analysis.net	8 months ago	Malware-Traffic-Analysis.net - 2024-02-21 - Parrot TDS --> SocGholish --> AsyncRAT infection
CERT-EU	8 months ago	Web3 Crypto Malware: Angel Drainer - From Phishing Sites to Malicious Injections
BankInfoSecurity	9 months ago	Malicious Traffic Distribution System Spotted by Researchers
DARKReading	9 months ago	'VexTrio' TDS: The Biggest Cybercrime Operation on the Web?
CERT-EU	9 months ago	The Dangers of Lateral Movement & Website Cross Contamination
CERT-EU	9 months ago	December 2023's Most Wanted Malware : The Resurgence of Qbot and FakeUpdates – Global Security Mag Online
CERT-EU	10 months ago	MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer
CERT-EU	10 months ago	MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer
CERT-EU	10 months ago	Kaspersky crimeware report: FakeSG, Akira and AMOS
CERT-EU	a year ago	Increasingly prevalent NetSupport RAT infections reported
CERT-EU	a year ago	NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors