Threat Research

Cyble – NetSupport RAT Distributed Via SocGholish

Securonix

New Drive-by Download Campaign Spying on Users

SocGholish is a JavaScript malware framework that has been active since 2017. The term “Soc” in “SocGholish” refers to the use of social engineering toolkits masquerading as software updates to deploy malware on a victim’s system.

This malware framework uses several social engineering themes that impersonate browser and program updates such as Chrome/Firefox, Flash Player, and Microsoft Teams.

Threat Actors (TAs) host a malicious website (the site displays content to lure end-users with critical browser updates) that implements a drive-by-download mechanism, such as JavaScript code or Uniform Resource Locator (URL) redirections, to download an archive file that contains malware.

Being infected with SocGholish may result in the deployment of malware such as Cobalt Strike framework, ransomware, Information Stealers, RATs, etc.

The below figure depicts the infection chain used by the SocGholish framework.

Figure 1 Infection chain of SocGholish
Figure 1 – Infection chain of SocGholish

Figure 1 – Infection chain of SocGholish

Technical Analysis

The infection chain begins once a user visits a compromised website that contains an injected HTML code which redirects them to a fake Chrome browser page to lure them into updating their Chrome application.

Once the user clicks the “Update” button on the fake page, an archive file named “Сhrome.Updаte.zip” is downloaded and saved in the “Downloads” folder.

The below figure shows a T1189 Drive-by Compromise Execution T1204
T1059
T1059 User Execution
JavaScript
PowerShell Persistence T1547 Registry Run Keys / Startup Folder Privilege Escalation T1574
T1055 DLL Side-Loading
Process Injection Defence Evasion T1027
T1497
T1140 Obfuscated Files or Information
Virtualization/Sandbox Evasion
Deobfuscate/Decode Files or Information Discovery T1082 System Information Discovery Command and Control T1219
T1105 Remote Access Software
Ingress Tool Transfer

Indicators of Compromise (IOCs) 

Indicators Indicator
Type		 Description
d5812e63327b5f5491c1a55c74737540
0af611819cd098c1ff3942431fc327dc75b83344 bad65408eb581fe39ded2637473bd4458b03e183ecc03164d6f8cf683a3e408e		 MD5
SHA1
Sha256		 Archive file “Сhrome.Updаte.zip”
dc123142cb787d395814027ff4046842
f4aaa317e23fb5446fc29fdbabfa4f0fc7090f59
520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61		 MD5
SHA1
Sha256		 Archive file “Сhrome.Updаte.zip”
606df8a69873fcc00754a6bb245ab5ae
6842a4b32aa6a80c75bed4cdf09235c9a5f7e87b
6f0fac3b955e63f25bd199ec373c677152212fceda20d8bc6672cf62e68482e8		 MD5
SHA1
Sha256		 JavaScript file “AutoUpdater.js”
eca593e95d2e919fb4b5f55b62b663df
406d6f811df8c0f9a16a36117be6772f25fcb214
1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d		 MD5
SHA1
Sha256		 JavaScript file “AutoUpdater.js”
dad848c52d27ed20002825df023c4d7c
48e49867904d83b35361d6c5f809d16bc251f334
4a59ac7ae76abb86ab2e035adbe5253247a2aad9b1ce9f59b3145333e34c26f7		 MD5
SHA1
Sha256		 PS1 file
“15.ico.ps1”
252dce576f9fbb9aaa7114dd7150f320
c07f0a02c284b697dff119839f455836be39d10e
b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad		 MD5
SHA1
Sha256		 EXE file
“whost.exe”
hxxp://aeoi[.]pl/15.ico URL C&C server
hxxp://aeoi[.]pl/21.ico URL C&C server
149.248.8.148 IP C&C server
94.158.247.32 IP C&C server

Source: https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish/

Tags: SOCIAL ENGINEERING, TOOL, SOC, BROWSER