SocGholish Campaign Targets Business Networks via Fake Browser Updates

eSentire’s Threat Response Unit (TRU) has detailed a sophisticated SocGholish campaign by the cyber threat group. Notorious for their hands-on-keyboard attacks, SocGholish has evolved its tactics to include using fake browser updates to initiate breaches, thereafter deploying scripts that exploit business relationships and monitor user interactions extensively.

The attack begins innocuously with a visit to a compromised website where users are deceived into downloading a fake browser update. Dubbed “Update.js,” this JavaScript file is ingeniously disguised to slip past initial security barriers. It uses obfuscated JavaScript to avoid detection and establish its foothold, which is further complicated by its ability to bypass automated analysis tools by detecting script control via the navigator.webdriver property.

Injected JavaScript | Image: TRU

Once initiated, the script performs several checks to determine its environment. It assesses browser manipulation and looks for specific cookies related to WordPress logins to decide on its execution path, thus showing an acute awareness of security measures that might be in place. This level of scrutiny ensures the malware activates only under favorable conditions, further evading detection.

One of the most alarming aspects of this campaign is its exploitation of business-to-business relationships. The attackers configure web beacons within email signatures and network shares. These beacons are crafted to map out and monitor the local and business network interactions, suggesting a targeted approach to spread laterally and reach more valuable corporate targets.

Within just 17 minutes of the payload’s activation, TRU observed direct, hands-on-keyboard activity. The attackers demonstrated a thorough exploitation strategy, extracting saved passwords from browsers like Microsoft Edge and Google Chrome, and decrypting them for exfiltration. They also manipulated HTML signature files in Microsoft Outlook to include images hosted on remote servers, cleverly designed to act as web beacons for gathering data each time an email is opened.

The attackers did not stop at password theft. They implemented commands to retrieve encryption keys using PowerShell, exploited user data, and set up a Python environment to likely facilitate further payloads. Network discovery efforts were also observed, with the attackers listing members of domain user groups to perhaps identify additional targets or understand the network structure better.

SocGholish’s approach includes sophisticated command and control (C2) communications, demonstrated by the insertion of a remote image in email signatures and shortcuts within network shares. These actions hint at an overarching strategy to maintain persistence and monitor network activities, likely to optimize data theft and increase the spread of the infection.

The latest SocGholish campaign highlights an escalating threat landscape where attackers not only use sophisticated techniques to gain initial access but also employ methods that allow them to deeply entrench themselves within corporate networks. Businesses are advised to educate employees about the risks of unsolicited downloads, ensure rigorous monitoring of network and email activities, and implement robust endpoint detection and response systems to detect and respond to such advanced threats promptly.