Hunting for SocGholish Malware

SocGholish is a malware family that disguises itself as a fake software update. Attackers typically compromise legitimate websites and inject SocGholish delivery pages into them. Because users trust the websites they are visiting, they are more likely to believe the fraudulent update prompts are legitimate, unaware that the site has been hacked.

The primary goal of SocGholish operators is financial gain. They are known to monetize their infections by selling access to compromised devices. The outcome often depends on who purchases the access. In theory, nation-state actors could acquire high-value targets, such as critical infrastructure or defense organizations, using the access for espionage or to support specific operations and events. Meanwhile, lower-value victims might be targeted with ransomware attacks. Regardless of the buyer, the SocGholish is sure to profit.

Typically, the Socgholish payload is a malicious JavaScript file. It has become more common for the JavaScript file to be contained in a zip file. This is likely to evade detection. We can use this to hunt for files that are downloaded with the js extension. Ultimately, JS downloads are uncommon. This can provide false positives depending on the number of users who download JavaScript files for a legitimate reason.

DeviceFileEvents
| where ActionType == "FileCreated"
| where FilePath startswith @"C:\Users\"
| where FileName endswith ".js"

When a JS file runs on Windows, it usually executes using the built-in WScript.exe. This older program isn’t used as much with the growth of other scripting languages like PowerShell, and under normal conditions, it rarely makes any internet connections—unless the script itself is set up to do that. This leads us to the perfect KQL detection rule that will detect any network events from the WScript process.

DeviceNetworkEvents
| where InitiatingProcessFileName =~ "wscript.exe"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, Protocol, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName

According to Red Canary, SocGholish has begun modifying its file naming conventions to include lookalike characters. This tactic appears to be an additional evasion technique aimed at bypassing EDR and antivirus detections that traditionally flag SocGholish based on its use of the common “Update” filename. This gives us a perfect opportunity for some hunting!

https://redcanary.com/threat-detection-report/threats/socgholish/
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName has_any ("а","à","á","ạ","ą","ä","è","é","ẹ","ė","ë","и","í","ì","ï","о","ó","ò","ö","ơ","ȯ","ọ","ỏ","с","ƈ","ċ","ԁ","ɗ","ġ","һ","ј","ʝ","κ","ӏ","ḷ","ո","р","զ","ʂ","υ","ս","ü","ú","ù","ν","ѵ","х","ҳ","у","ý","ʐ","ż")

I hope these queries and hunting techniques help you identify and detect SocGholish infections in your environment. Happy hunting!

References


Posted

in

by

Tags: